Calling for harmonisation of vulnerability programmes and initiatives in the EU: new ENISA report published

Calling for harmonisation of vulnerability programmes and initiatives in the EU: new ENISA report published

Last 16 February, the European Union Agency for Information Security (ENISA) has published a new report on the development of national vulnerability programmes. What emerged, according to reports from industry players, national governments, and multiple actors involved in national vulnerability initiatives and programs, is that the EU Coordinated Vulnerability Disclosure (CVD) ecosystem is in need of further integration. While some EU Member States have taken interesting approaches to the issue, an integrated EU vision and action is required.

Industry players have developed vulnerability policies and programs at the organizational level, as national governments have made recent efforts to develop CVD policies. The top industry expectation is the development of a national or European level CVD policy to help organizations and public administrations prioritize vulnerability management and encourage security practices. Alignment with international standards will significantly facilitate harmonization.

Bug Bounties Programmes (BBP) have expanded their business models to offer different types of services and levels of involvement in vulnerability management processes. BBP platform providers are now working with public institutions to create customized programs that suit their needs and IT infrastructures. Expansion is expected as long as the community can rely on BBPs and ensure trust between stakeholders.

Researchers play a crucial role in disclosing vulnerabilities, and understanding their motivations, incentives, and challenges is essential. Reputation is a key incentive for them to legally report vulnerabilities, leading to fame and recognition. Legal protection is also crucial, especially due to the uncertainty or non-clarity of legal conditions that may push them towards illegal channels.

Tools are necessary to improve vulnerability disclosure processes, especially for vulnerabilities related to open-source software (OSS). As commercial and OSS become more intertwined, there is a need to improve coordination between OSS developers and private vendors. Coordination efforts are hindered by the lack of clarity regarding OSS vulnerability handling, responsibility, and accountability among actors across IT product supply chains.

Author(s): Livia DI BERNARDINI (APRE)

Reference: ENISA, Developing National Vulnerabilities Programmes,