[develatio]

This is a very simplistic take. There are CVEs and then there are CVEs. Some may take months to be properly fixed, no matter how many engineer-hours you put on them (e.g. the entire side-channel attacks saga). And that's not even taking into account the time required to alert different vendors (think about all the different linux distributions, upstream, big companies, etc...) and coordinate adequate steps.

[phpisthebest]

None of which matters if it is active exploit, which not only the government but users fo the software should be made aware of even if no patch is avalible yet, this will allow them to make the choice to shutdown the system, apply network level or other security measure, increase monitoring or many many many many other things they would be unable to do if software vendors keep it hidden for months while they choose what is the best course.

I am fundamentally a full disclosure supporter.

[Jensson]

Don't you think governments need to know if their software has a known actively exploited vulnerability that exposes their private data, especially if you are going to take months to fix it? Or are you saying it is fine to stay silent if you notice Russians are using an exploit reading private user data and it will take months for you to fix it?

[Arnt]

You make it sound as if the maintainer team already has a near-complete understanding of the problem in the first hours.

[Jensson]

Not sure what you mean, if you know you have an actively exploited vulnerability then what more investigation would you need to do in a few hours?

This law only talks about actively exploited vulnerabilities, if you find a bug and go home for the weekend without fixing it that should be fine since that bug isn't actively exploited.

Edit: Point is, once you have done the investigation necessary to know that it is actively exploited you already have a ton of understanding about the problem. I don't see why you would need more than 24 hours at that point just to write a report to affected actors.

[Arnt]

Suppose that I'm actively exploiting your software. Then I'm in a position where I can describe the exploit, but you may not be. After all I'm hardly eager to tell you how I'm doing it.

Once you discover that it's happening, you know there is an exploit so you know at least that the vulnerability exists. The discovery probably tells you something about the vulnerability, but how much? The last one I heard about in any detail was discovered when they noticed that an uplink was at 100% utilisation and realised that it was due to data being exfiltrated. That didn't tell them much about how the intruder gained the ability to exfiltrate the data.

Do you know enough to describe it? I know enough, but you're the one who's required to write a notification. Can you describe the vulnerability that's the subject of your notification?

[j16sdiz]

It's easy.

Just report whatever you knew already. ... and prepare to join endless meetings with no time work on the problem. /s

[develatio]

Even if they knew, what would they do about it? It's not like "the governments" could pull up a Spectre patch out of thin air. There are no mitigations. So what do they gain from knowing if they can't avoid it anyways?

[Libcat99]

There are mitigations for many vulnerabilities that don't involve the software being patched. For example, once you know a particular vulnerability exists, even if it's unpatched you can monitor for attempts against it, modify firewall rules and process monitoring to improve your awareness, etc.

[acdha]

It’s not uncommon for groups like CISA to recommend blocking things from the internet or disabling a particular feature which is part of the exploit but not critical to the entire app. They also proactively notify users in some cases (e.g. industrial systems) so everyone knows to install the patch as soon as it’s released.

As a simple analogy, look at how the Kia lock vulnerabilities are being handled. Yes, it’s best if you can repair everything but it’s not without value to make sure everyone affected knows the risk so they can change their behavior or buy a separate lock until then.

[Jensson]

> There are no mitigations

They can use different applications and communication channels to avoid leaking data to hostile governments.

[denton-scratch]

> There are no mitigations.

What about, everybody stops using the defective software? Or, more conservatively, all EU governments stop using the affected products?

[j16sdiz]

> Even if they knew, what would they do about it?

Call meetings. Join endless meetings. Make deadlines for more meetings.

[Detrytus]

Also, there are governments and then there are governments. I would rather have a company keep zero-day a secret than disclose it to government run by assholes such as Victor Orban or Emmanuel Macron.

[Kbelicius]

Reports of security breaches need to be reported to ENISA which is an EU institution.

[adql]

Keeping multi month ones secret is even bigger risk to security if workarounds exist.