Software Vulnerability Disclosure in Europe
Total Page:16
File Type:pdf, Size:1020Kb
Software Vulnerability This report puts forward the analysis and recommendations for the design and implementation of a forward-looking policy on software vulnerability disclosure (SVD) in Europe. It is the result of extensive deliberations among the members Disclosure in Europe of a Task Force formed by CEPS in September 2017, including industry experts, representatives of EU and international institutions, academics, civil society Technology, Policies and Legal Challenges organisations and practitioners. Drawing on current best practices throughout Europe, the US and Japan, the Report of a CEPS Task Force Task Force explored ways to formulate practical guidelines for governments and businesses to harmonise the process of handling SVD throughout Europe. These discussions led to policy recommendations addressed to member states and the EU institutions for the development of an effective policy framework for introducing coordinated vulnerability disclosure (CVD) and government disclosure decision processes (GDDP) in Europe. Software Vulnerability Disclosure in Europe Software Vulnerability Chair: Marietje Schaake Rapporteurs: Lorenzo Pupillo Afonso Ferreira CEPS Gianluca V arisco Software Vulnerability Disclosure in Europe Software Vulnerability Disclosure in Europe Technology, Policies and Legal Challenges Report of a CEPS Task Force June 2018 Chair: Marietje Schaake Rapporteurs: Lorenzo Pupillo Afonso Ferreira Gianluca Varisco Centre for European Policy Studies (CEPS) Brussels CEPS is an independent think tank based in Brussels, whose mission is to produce sound analytical research leading to constructive solutions to the challenges facing Europe today. The views presented in this report do not necessarily represent the opinions of all the participants of the Task Force, nor do they explicitly represent the view of any individual participant (unless explicitly mentioned in this report). The views expressed in this report are those of the authors writing in a personal capacity and do not necessarily reflect those of CEPS or any other institution with which they are associated. ISBN 978-94-6138-687-8 © Copyright 2018, CEPS All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, mechanical, photocopying, recording or otherwise – without the prior permission of the Centre for European Policy Studies. CEPS Place du Congrès 1, B-1000 Brussels Tel: 32 (0) 2 229.39.11 e-mail: [email protected] internet: www.ceps.eu Table of Contents Foreword ....................................................................................................................... i Preface .......................................................................................................................... iii Executive Summary .................................................................................................... v CVD Policy ........................................................................................................... v Policy Recommendations from the Task Force .............................................. vi Part I. Coordinated Vulnerability Disclosure in Europe 1. Introduction...........................................................................................................1 1.1. Background ...................................................................................................1 1.2. Some definitions ...........................................................................................4 1.3. What is vulnerability disclosure? ...............................................................4 1.4. Coordinated vulnerability disclosure ........................................................5 1.5. Actors in CVD ...............................................................................................6 1.6. Phases of CVD ..............................................................................................7 1.6.1. Bug bounty programs .......................................................................9 1.7. Special cases of CVD ....................................................................................9 1.7.1. Multiparty CVD .................................................................................9 1.7.2. Forever day vulnerabilities.............................................................11 1.8. Future issues in CVD .................................................................................11 3. State of play in CVD, by country .....................................................................13 3.1. CVD within member states .......................................................................13 3.2. Case studies of CVD in selected EU member states ..............................23 3.2.1. The Netherlands ..............................................................................23 3.2.2. Latvia .................................................................................................30 3.3. Case studies of CVD outside the EU .......................................................34 3.3.1. United States.....................................................................................34 3.3.2. Japan ..................................................................................................39 4. Legal challenges from software vulnerability disclosure in the EU ...........41 4.1. Circumstances in which disclosure of software security vulnerability is advantageous ..........................................................................................41 4.2. Legal challenges in relation to software vulnerability disclosure and the relevant legislative framework ..........................................................42 4.3. Criminal law ................................................................................................42 4.4. Data protection law ....................................................................................46 4.5. Industrial property .....................................................................................47 4.5.1. Copyright ..........................................................................................47 4.5.2. Trade secrets .....................................................................................48 4.5.3. Patents ...............................................................................................48 4.5.4. Trademarks .......................................................................................48 4.6. Export control regulation ..........................................................................48 4.7. Conclusion ...................................................................................................49 5. Policy implications .............................................................................................50 6. Recommendations for implementing CVD in Europe ..................................53 6.1. Introduction.................................................................................................53 6.1.1. Opportunity cost ..............................................................................53 6.1.2. What can be done at EU level?.......................................................53 6.2. EU legislation ..............................................................................................54 6.2.1. Amending Directive 2013/40/EU on attacks against information systems to support CVD. ..........................................54 6.2.2. Protection of security researchers ..................................................54 6.2.3. Incentives for security researchers ................................................54 6.2.4. Directive on security of network information systems ..............54 6.2.5. General Data Protection Regulation .............................................55 6.2.6. Cybersecurity Act ............................................................................56 6.2.7. Software vulnerabilities in durable goods ..................................57 6.3. National legislation ....................................................................................57 6.4. National non-legislative activities ............................................................57 6.5. Framework Programme for Research and Innovation ..........................58 Part II. Government Disclosure Decision Processes...........................................61 7. Government Disclosure Decision Processes ...................................................63 7.1. GDDP in Europe .........................................................................................64 7.2. The US experience with GDDP ................................................................64 7.3. Recommendations for establishing GDDP in the EU ............................73 Part III. Conclusions and Recommendations 8. Conclusions: It is time to act .............................................................................79 8.1. CVD policies................................................................................................79 8.2. Recommendations for the implementation of CVD in Europe ............81 8.2.1. EU legislation ...................................................................................81 8.2.2. National legislation .........................................................................82 8.2.3. EU research funding ........................................................................83 8.3. Recommendations