The CRA Introduces Mandatory Cybersecurity Requirements
The European CRA creates mandatory cybersecurity requirements for hardware and software with digital elements. The Act’s reach is broad, imposing new requirements for covered companies to undertake risk assessments, establish a coordinated vulnerability disclosure policy, manage vulnerabilities, and report any vulnerability exploited by a malicious actor.
The CRA covers all products with digital elements (PDEs) sold in Europe, regardless of where they are manufactured, and failure to comply could lead to fines or forced withdrawal of the product from the EU.
HackerOne Advocated to Protect Ethical Hackers
HackerOne’s advocacy helped drive notable improvements to the CRA, including (1) enhanced protections for good-faith security researchers from mandatory vulnerability reporting and (2) provisions encouraging EU states to protect researchers from liability and ensure they are compensated for their efforts. Several provisions of this final text reflect this effort:
- “Vulnerabilities that are discovered with no malicious intent for purposes of good faith testing, investigation, correction or disclosure to promote the security or safety of the system owner and its users should not be subject to mandatory notifications [Recital 35a].”
- “Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities [Recital 35i].”
- “Manufacturers’ coordinated vulnerability disclosure policy should specify a structured process through which vulnerabilities are reported to a manufacturer in a manner allowing the manufacturer to diagnose and remedy such vulnerabilities… Given the fact that information about exploitable vulnerabilities in widely used products with digital elements can be sold at high prices on the black market, manufacturers of such products should be able to use programmes, as part of their coordinated vulnerability disclosure policies, to incentivise the reporting of vulnerabilities by ensuring that individuals or entities receive recognition and compensation for their efforts (so-called ‘bug bounty programmes’ [Recital 36].”
At HackerOne, a central part of our mission is to empower good-faith security researchers to protect the digital ecosystem from threats. We appreciate improvements made to the CRA, and we will continue to lead efforts to create a more favorable legal environment for security research.
In the meantime, companies offering PDEs in Europe should prepare for the CRA ahead of the implementation deadline, in particular the requirements that impact the disclosure and handling of vulnerabilities.
Vulnerability Reporting and Management
Companies selling PDEs in Europe should prepare to do the following:
Vulnerability Management:
- Ensure PDEs are free from “known exploitable vulnerabilities” before market release;
- Establish a coordinated vulnerability disclosure policy (CVD or VDP);
- Provide a contact address for reporting of vulnerabilities found in PDEs;
- Address and remediate vulnerabilities without delay, including by developing and maintaining processes to ensure regular testing and provide security updates where feasible;
- Share and publicly disclose information about fixed vulnerabilities once security updates are made;
- Provide a Software Bill of Materials of at least top level dependencies in the PDEs.
These vulnerability management requirements are aimed at improving transparency, timely remediation, and collaboration to create a more secure and resilient software environment. CVD and vulnerability handling processes enable companies to triage and accept vulnerability reports from the ethical hacking community. With efficient implementation of these security practices, organizations can stay ahead of emerging cyber threats.
Vulnerability Reporting:
- Report actively exploited vulnerabilities to the Computer Security Incident Response Team (CSIRT), designated as coordinator, and to ENISA within the timelines established in the Act.
- Provide an early warning notification within 24 hours of becoming aware of the actively exploited vulnerability’s existence.
- Provide general information within 72 hours of becoming aware of the actively exploited vulnerability, such as the nature of the exploit, any corrective or mitigating measures taken, and the sensitivity of the information.
- Provide a final report within 14 days of issuing a patch for the vulnerability, including a description of the vulnerability, its severity and impact, and details of the security update, or corrective measures that have been made.
- The CSIRT and ENISA will, except in extraordinary circumstances, disseminate the vulnerability reports to the market surveillance authorities in the Member States where the product is sold.
Regular vulnerability testing and implementation of bug bounty programs will help companies find and eliminate software flaws before an active exploitation triggers the requirement to notify regulators.
HackerOne urged EU lawmakers to revise the vulnerability reporting requirements of the CRA to allow companies to address the risks associated with requiring premature disclosure of potentially unmitigated vulnerabilities. Despite these efforts, the CRA requires product manufacturers to disclose vulnerabilities regardless of mitigation status and without guardrails for how government agencies may use the vulnerabilities. HackerOne will continue to work with EU officials and Member States during the CRA implementation to seek additional safeguards into this process.
How to Prepare
While the CRA’s security requirements will not take effect for several months, companies that intend to sell software or connected products in the EU should take the opportunity to get ahead of compliance. A first step would be to take inventory of the products that are likely to fall within the scope of the CRA to better understand your potential compliance burden and your potential attack surface. Companies should integrate vulnerability management measures throughout these (and all of their) products’ lifecycles and establish a regular testing cadence. Additionally, companies can establish a VDP as part of a comprehensive CVD program right now, and assess and modify as needed their vulnerability handling procedures to ensure disclosures are made in a timely manner. Taking preemptive actions to address vulnerabilities will both align with best practices and better position the company ahead of the CRA’s enforcement deadlines.