{"id":1431,"date":"2018-07-04T23:30:04","date_gmt":"2018-07-05T07:30:04","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1431"},"modified":"2018-07-04T23:30:04","modified_gmt":"2018-07-05T07:30:04","slug":"a-step-forward-for-government-vulnerability-disclosure-in-europe","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/","title":{"rendered":"A step forward for government vulnerability disclosure in Europe"},"content":{"rendered":"<p><a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/10\/03\/vulnerability-disclosure-should-be-in-new-eu-cybersecurity-strategy\/\">We\u2019ve argued for many years<\/a> that governments should implement transparent processes to review and disclose the vulnerabilities that they learn about. Such processeses are essential for the cybersecurity of citizens, businesses, and indeed governments themselves. To advance policy discourse on this issue in Europe, we recently participated in the <a href=\"https:\/\/www.ceps.eu\/content\/software-vulnerability-disclosure-europe\">Centre of European Policy Studies (CEPS) Taskforce on Software Vulnerability Disclosure<\/a>. The Taskforce\u2019s <a href=\"https:\/\/www.ceps.eu\/system\/files\/CEPS%20TFRonSVD%20with%20cover_0.pdf\">final report<\/a> was published this week and makes a strong case for the need for government vulnerability disclosure policies, and comes at a critical juncture as European policymakers debate the EU Cybersecurity Act.<\/p>\n<p>As the developer of a browser used by hundreds of millions of people every day, it is essential for us that vulnerabilities in our software are quickly identified and patched. Simply put, the safety and security of our users depend on it. The disclosure of such vulnerabilities (and the processes that underpin it) is particularly important with respect to governments. Governments often have unique knowledge of vulnerabilities, and learn about them in many ways: through their own research and development, by purchasing them, through intelligence work, or by reports from third parties. Crucially, governments can face conflicting incentives as to whether to disclose the existence of such vulnerabilities to the vendor immediately, or to delay disclosure in order to support offensive intelligence-gathering and law enforcement activities (so-called government hacking).<\/p>\n<p><a href=\"https:\/\/www.ceps.eu\/system\/files\/CEPS%20TFRonSVD%20with%20cover_0.pdf\">The Centre for European Policy Studies (CEPS) report on Software Vulnerability Disclosure in Europe<\/a> is the product of a broad stakeholder taskforce that included a diverse body of actors such as Airbus, the European Telecom Network Operators Association (ETNO), and the global digital rights advocacy group Access Now. Importantly, it reaffirms the need for European governments to put in place robust, accountable, and transparent government vulnerability disclosure review processes. While the taskforce\u2019s work focused on the <i>disclosure<\/i> of vulnerabilities acquired by government, it is clear that more policy work is required with respect to the processes underpinning acquisition, exploitation and the operational mechanics of disclosure by governments in Europe.<\/p>\n<p>Unfortunately, most EU governments have not yet implemented vulnerability disclosure review processes, a fact that constitutes a serious concern at a time when the cyber attack surface continues to widen. \u00a0Luckily, European Union lawmakers have a unique opportunity to address this issue, and advance the norm that all Member States should have vulnerability disclosure processes. The European Parliament and the EU Council are presently debating the proposed EU Cybersecurity Act, and we <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/04\/24\/mozilla-publishes-recommendations-on-government-vulnerability-disclosure-in-europe\/\">reiterate our call<\/a> to European policymakers use this legislation to give ENISA (the EU Cybersecurity agency) the mandate to assist and advise Member States on the development of policy and practices for government vulnerability disclosure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve argued for many years that governments should implement transparent processes to review and disclose the vulnerabilities that they learn about. Such processeses are essential for the cybersecurity of citizens, &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/\">Read more<\/a><\/p>\n","protected":false},"author":1559,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[283198,585,69,141519,10136],"tags":[],"coauthors":[318937],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A step forward for government vulnerability disclosure in Europe - Open Policy &amp; Advocacy<\/title>\n<meta name=\"description\" content=\"We&#039;ve argued for many years that governments should implement transparent processes to review and disclose the vulnerabilities that they learn about. A new report from an influential European think tank has reiterated that point, at a crucial juncture in the EU lawmaking process.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Owen Bennett\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/\",\"name\":\"A step forward for government vulnerability disclosure in Europe - Open Policy &amp; Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"datePublished\":\"2018-07-05T07:30:04+00:00\",\"dateModified\":\"2018-07-05T07:30:04+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63\"},\"description\":\"We've argued for many years that governments should implement transparent processes to review and disclose the vulnerabilities that they learn about. A new report from an influential European think tank has reiterated that point, at a crucial juncture in the EU lawmaking process.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A step forward for government vulnerability disclosure in Europe\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy &amp; Advocacy\",\"description\":\"Mozilla&#039;s official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63\",\"name\":\"Owen Bennett\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/e46a666e0d8a768b13461b5a1539a34a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g\",\"caption\":\"Owen Bennett\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A step forward for government vulnerability disclosure in Europe - Open Policy &amp; Advocacy","description":"We've argued for many years that governments should implement transparent processes to review and disclose the vulnerabilities that they learn about. A new report from an influential European think tank has reiterated that point, at a crucial juncture in the EU lawmaking process.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/","twitter_misc":{"Written by":"Owen Bennett","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/","name":"A step forward for government vulnerability disclosure in Europe - Open Policy &amp; Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"datePublished":"2018-07-05T07:30:04+00:00","dateModified":"2018-07-05T07:30:04+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63"},"description":"We've argued for many years that governments should implement transparent processes to review and disclose the vulnerabilities that they learn about. A new report from an influential European think tank has reiterated that point, at a crucial juncture in the EU lawmaking process.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/04\/a-step-forward-for-government-vulnerability-disclosure-in-europe\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"A step forward for government vulnerability disclosure in Europe"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy &amp; Advocacy","description":"Mozilla&#039;s official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/5b3cc3909c8b5ee76eb51df71ec36d63","name":"Owen Bennett","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/e46a666e0d8a768b13461b5a1539a34a","url":"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6f774b07d5ad0d800fe5ec879c4be6c7?s=96&d=mm&r=g","caption":"Owen Bennett"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1431"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1559"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=1431"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1431\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=1431"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=1431"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=1431"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=1431"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}