Recent discussions in the European Parliament can seriously undermine existing cyber security practices and open source development by setting disproportionate obligations and strict requirements for vendors supplying products in Europe.
In a previous blogpost and position paper, we expressed our concerns with the original Cyber Resilience Act proposal by the European Commission, particularly regarding the disclosure of unmitigated vulnerabilities and the open source exemption. Unfortunately, the changes made in the text by the Industry Committee (ITRE) of the European Parliament fall short of improving and, in some cases, even worsen the CRA requirements regarding open source development. Members of the open source community have been speaking out against this – below we highlight our key concerns:
- Open source projects with corporate developers as contributors will be subject to the CRA – The current text (Recitals 10 and 10a) would deem any open source project as commercial, as long as it has committers employed by a commercial entity. Should this happen, the number of maintainers and contributors to open source projects will decrease significantly. Projects might feel compelled to reject developers and their contributions when employed by the companies that use their software. Simultaneously, companies might ban their employees from contributing to open source projects. This will result in a less innovative and less secure software ecosystem.
- Open source projects receiving donations will fall under the strict rules of the CRA – Keeping open source projects sustainable is not an easy task, and accepting donations is one way to ensure their financial independence. Nevertheless, ITRE’s version of the CRA, in Recital 10b could threaten to undermine this. Projects that accept donations made by commercial entities and are recurring in nature will fall under the scope of the CRA, even when they do not operate in the course of commercial activity.
Additionally, Article 11 of the ITRE Committee’s text will break the coordinated vulnerability disclosure by requiring developers to report any unmitigated or unpatched vulnerabilities. Obliging developers to report such vulnerabilities in tight timeframes can only undermine the efforts taken to apply corrective measures. It reflects a misunderstanding of how long it takes for these vulnerabilities to be fixed and can set a worrying global precedent.
The ITRE Committee in the European Parliament will hold a vote on July 19. Should the Committee endorse the current version of the text, this will become the official European Parliament position ahead of the negotiations with the Council and the Commission.
We ask members of the ITRE Committee to consider the implications the current text can have on open-source development in Europe. At a minimum, we call for a public debate on the CRA at Plenary level before negotiations start with the Council and Commission.