nostr:npub1zj46mlm94ekxxlc26xk3yyse9c89jd6hrf9q6ce34w045es6a86sqzfyjh 

Interesting, breaking down their proposed corrections to #infosec Article 11:

Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.

Morally right, but hard to enforce granted that nearly all of these are happening in secret anyway.

The CRA should not require reporting of vulnerabilities that are exploited through good faith security research.

That’s essentially to protect bug bounties, pentesting and zero-day traders from mandatory disclosure of vulnerabilities that are subject to NDA with their customers. This one I have a problem with because it only reinforces the effect of zero-days being a tradeable commodity and reduces Article 11 exclusively to situations where such a zero-day is caught in the wild, and even then you never know if it’s not “a friendly agency” using it “in good faith”.

Require reporting to agencies of mitigatable vulnerabilities only, within 72 hours of effective mitigations (e.g., a patch) becoming publicly available.

Granted that you always can mitigate a service last resort by simply switching it off, this one is rather harmful nonsense.