Agencja Unii Europejskiej ds. Cyberbezpieczeństwa, Skoordynowana polityka ujawniania luk w zabezpieczeniach w UE

APRIL 2022

COORDINATED VULNERABILITY DISCLOSURE POLICIES IN THE EU

EXECUTIVE SUMMARY

This report analyses information and presents an overview of coordinated vulnerability disclosure (CVD) policies at the national level within the EU. Aside from offering a comprehensive overview of the EU CVD state of play, it also provides high-level key findings and recommendations for future improvements.

As shown by the recent Apache Log4j vulnerability, a single software flaw can put hundreds of millions of devices around the world at risk, leaving organizations struggling to patch affected systems before the vulnerability turns into a security incident. This is yet another vulnerability with global repurcussions that shows the importance of security research, communication between stakeholders, patching and good security practices.

A national CVD policy is a framework under which security researchers are allowed and encouraged to research ICT products and services, following a set of rules, and report...