undefined | Better HN

0 pointsbuzer10mo ago0 comments

> Stores are not permitted to sell products with known vulnerabilities under new cybersecurity regulations.

What are the specifics on that? Like does the vulnerability need to be public or is it enough if just the vendor knows about it? Does everyone need to stop selling it right away if new vulnerability is discovered or do they some time patch it? I'm pretty sure software like Windows almost definitely has some unfixed vulnerabilities that Microsoft knows about and is in process of fixing every single day of the year. Currently even if they do have a fix, they would end up postponing it until next patch Tuesday.

And what even is "vulnerability" in this context? Remote RCE? DRM bypass?

0 comments

chillax10mo ago

Probably refering to CRA - Cyber Resilience Act

https://schjodt.com/news/the-cyber-resilience-act-enters-int...

https://digital-strategy.ec.europa.eu/en/policies/cyber-resi...

https://ec.europa.eu/commission/presscorner/detail/en/qanda_...

jeroenhd10mo ago

The full legal text doesn't fit in a HN comment, but I believe this is the meat of the description: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:...

Note that in the legal text above there is language stating what requirements from the annexes applies to what hard/software.

As far as I know (I haven't read the text fully) selling stuff is fine if the end user can update their software.

There is no clear description of what "vulnerability" entails. The definitions do include things like:

    ‘vulnerability’ means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;
    ‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;
    ‘cybersecurity risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;

buzerOP10mo ago

Thanks. I tried to look into this a bit more and it sounds quite a few places are interpreting "be made available on the market without known exploitable vulnerabilities" as that there cannot be any known vulnerability at the release date. Germany's Federal Office for Information Security (BSI, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...) seems to be even looser with the definition, on 5.3.2.3 they actually say it's just "SHOULD", not "MUST". No clue what they are basing that on.

The "including the possibility to reset the product to its original state" is interesting one, would that prevent manufacturers from not allowing user to downgrade to original version (via eFuses)? 5.3.3.1 on those guidelines does say "initial or newest version", but that doesn't really sound like original state.

j / k navigate · click thread line to collapse