Responsible Vulnerability Disclosure under the NIS 2.0 Proposal
Schmitz
Sandra
Schiffner
Stefan
Both, the NIS Directive and the GDPR introduce breach reporting obligations. In particular, in the case of the GDPR this might include an obligation to go public about an incident. These legal obligations might be in conflict with good/common practice of responsible vulnerability disclosure. This paper briefly outlines reporting duties under NISD and GDPR and maps these to hypothetical scenarios where informing end users about cyber incidents might lead to uncontrolled vulnerability disclosure. In that view, this paper analyses whether the latest proposal for a NIS Directive 2.0 strikes the right balance between the need for swift reporting and the need to investigate a vulnerability when introducing a ‘coordinated vulnerability disclosure’.
Cybersecurity
Disclosure
GDPR
NIS Directive
Vulnerability
340
periodical
academic journal
JIPITEC
12
5
2022
448
457
2190-3387
urn:nbn:de:0009-29-54958
http://nbn-resolving.de/urn:nbn:de:0009-29-54958
schmitz2022