DIGITALEUROPE position paper on vulnerability stockpiling
DIGITALEUROPE position paper on vulnerability stockpiling
OBJECTIVES
DIGITALEUROPE believes that governments in the EU and beyond should put in place clear policies relating to the handling and disclosure of security vulnerabilities. We are concerned that governments stockpile and exploit security vulnerabilities in products, rather than reporting them to those who can fix them. The presumption should be in favour of immediate disclosure to the vendor in question using coordinated vulnerability disclosure, a global best practice, and, if any delay is warranted and approved, governments should disclose the vulnerability to the vendor in as timely a fashion as is reasonably practicable. Moreover, some internal, and aggregate and anonymised external, reporting should be required to ensure accountability regarding the frequency and nature of such decisions.