Calling for harmonisation of vulnerability programmes and initiatives in the EU: new ENISA report published

03 Mar Calling for harmonisation of vulnerability programmes and initiatives in the EU: new ENISA report published

Posted at 10:10h in NOTIONES by admin

Last 16 February, the European Union Agency for Information Security (ENISA) has published a new report on the development of national vulnerability programmes. What emerged, according to reports from industry players, national governments, and multiple actors involved in national vulnerability initiatives and programs, is that the EU Coordinated Vulnerability Disclosure (CVD) ecosystem is in need of further integration. While some EU Member States have taken interesting approaches to the issue, an integrated EU vision and action is required.

Industry players have developed vulnerability policies and programs at the organizational level, as national governments have made recent efforts to develop CVD policies. The top industry expectation is the development of a national or European level CVD policy to help organizations and public administrations prioritize vulnerability management and encourage security practices. Alignment with international standards will significantly facilitate harmonization.

Bug Bounties Programmes (BBP) have expanded their business models to offer different types of services and levels of involvement in vulnerability management processes. BBP platform providers are now working with public institutions to create customized programs that suit their needs and IT infrastructures. Expansion is expected as long as the community can rely on BBPs and ensure trust between stakeholders.

Researchers play a crucial role in disclosing vulnerabilities, and understanding their motivations, incentives, and challenges is essential. Reputation is a key incentive for them to legally report vulnerabilities, leading to fame and recognition. Legal protection is also crucial, especially due to the uncertainty or non-clarity of legal conditions that may push them towards illegal channels.

Tools are necessary to improve vulnerability disclosure processes, especially for vulnerabilities related to open-source software (OSS). As commercial and OSS become more intertwined, there is a need to improve coordination between OSS developers and private vendors. Coordination efforts are hindered by the lack of clarity regarding OSS vulnerability handling, responsibility, and accountability among actors across IT product supply chains.

Author(s): Livia DI BERNARDINI (APRE)

Reference: ENISA, Developing National Vulnerabilities Programmes, https://www.enisa.europa.eu/publications/developing-national-vulnerabilities-programmes

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.