Security professionals, antivirus companies, and civil rights advocates are ringing alarm bells about the European Cyber Resilience Act (CRA). Their issue? Article 11.
This article says software vendors must report zero-day vulnerabilities to government bodies within 24 hours of discovering them. The coalition, which has significant clout in the industry, warns that this mandate could be misused for surveillance and even jeopardize cybersecurity efforts.
The CRA aims to toughen up the security of software and hardware. While the law comes with various guidelines, Article 11 is in the hot seat.
This provision sets a 24-hour deadline for reporting zero-days—software glitches being exploited but not yet patched. The idea is to create a comprehensive database to help defend against cyber threats.
The open letter
The opposition has formalized its concerns through an open letter (PDF). The letter is far from a small outcry—it’s supported by tech giants like Google and respected organizations like the Electronic Frontier Foundation and Trend Micro.
The letter outlines several potential dangers tied to the 24-hour reporting rule:
- Government misuse. The experts worry that the data could be misused by governments for surveillance and intelligence activities. With the information in hand, many government agencies would essentially have a roadmap to unpatched vulnerabilities.
- A honey pot for attackers. The database of unpatched vulnerabilities could itself become a target for cybercriminals looking for weak spots to exploit.
- Straining Researcher-Vendor relations. The experts argue that forcing companies to disclose vulnerabilities so quickly could harm the relationships between software vendors and security researchers. The rule might make researchers hesitant to report bugs in the first place.
The open letter doesn’t just highlight problems; it suggests solutions, too. The coalition wants Article 11 either axed or revised with the following changes:
- Block government agencies from using the data for surveillance or any other form of offensive activity.
- Only require reporting when patches are ready to roll out.
- Exclude good-faith security research from the mandatory reporting.
The letter has been signed by experts from a wide range of institutions including ESET, Rapid7, Bitdefender, Google, Citizen Lab, TomTom, HackerOne, Panasonic, KU Leuven, Black Hat, DEF CON, and the Stanford University Cyber Policy Center.
The CRA is still in its draft stage, so there’s room for changes. How the European Union responds to this concerted pushback will be telling for the balance of power between government oversight and individual privacy.
What we know for sure is that the CRA proposal, especially Article 11, has ignited a complex debate over how to defend against cyber threats without compromising civil liberties.
