The EU is in the middle of the amendments process for its proposed Cyber Resilience Act (CRA), a law intended to bolster Europe’s defenses against cyber-attacks and improve product security. This law targets a broad swath of products brought to market intended for European consumers, including Internet of Things (IoT) devices, desktop computers, and smartphones. It places requirements on device manufacturers and distributors with regards to vulnerability disclosure, and introduces new liability regulations for cybersecurity incidents.
EFF welcomes the intention of the legislation, but the proposed law will penalize open source developers who receive any amount of monetary compensation for their work. It will also require manufacturers to report actively exploited, unpatched vulnerabilities to regulators. This requirement risks exposing the knowledge and exploitation of those vulnerabilities to a larger audience, furthering the harms this legislation is intended to mitigate.
Threats to Open Source Software
Open source software serves as the backbone of the modern internet. Contributions from developers working on open source projects such as Linux and Apache, to name just two, are freely used and incorporated into products distributed to billions of people worldwide. This is only possible through revenue streams which reward developers for their work, including individual donations, foundation grants, and sponsorships. This ecosystem of development and funding is an integral part of the functioning and securing of today’s software-driven world.
The CRA imposes liabilities for commercial activity which bring vulnerable products to market. Though recital 10 of the proposed law exempts not-for-profit open source contrib
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: