> The CRA aims to force projects to report vulnerabilities to an EU institution within a matter of "hours", which contradicts industry practices and may have severe unintended effects.
The EU is a much bigger user of open source, as are academic establishments and some 3rd world countries, I dont see any harm in reporting a vuln to a EU institute because the coders wont always know where their code is being used.
And because they wont know where their code is being used, they wont know the impact it could have to wider society, so I'm in full agreement with this, provided the EU institute is competent enough in the first place to handle this.
But the next questions becomes, how will we know that such a vuln is not used for nefarious purposes?
Can the EU institute be trusted, or is this legislation designed to obtain zero days without having to go on the dark web and purchase them for enormous cost because there are typically little to no bug bounty's with open source.
The EU is a much bigger user of open source, as are academic establishments and some 3rd world countries, I dont see any harm in reporting a vuln to a EU institute because the coders wont always know where their code is being used.
And because they wont know where their code is being used, they wont know the impact it could have to wider society, so I'm in full agreement with this, provided the EU institute is competent enough in the first place to handle this.
But the next questions becomes, how will we know that such a vuln is not used for nefarious purposes?
Can the EU institute be trusted, or is this legislation designed to obtain zero days without having to go on the dark web and purchase them for enormous cost because there are typically little to no bug bounty's with open source.