A pioneering EU cyber-certification scheme for digital products is up and running following the publication of guidelines around the management and disclosure of vulnerabilities.
The EU Common Criteria (EUCC) scheme offers vendors of information and communication technology (ICT) products the opportunity to prove that their hardware or software meets stringent security standards.
Prerequisites for EUCC certification include providing security guidance to end users, committing to providing prompt security updates, following best practices around vulnerability disclosure, and monitoring and remediating publicly disclosed vulnerabilities.
The scheme aims to elevate and harmonise cybersecurity standards across the EU. It will also empower users to be more discriminating in terms of choosing secure products.
As of 27 February, the EUCC scheme has officially supplanted all equivalent national schemes. Certificates will be used by national cybersecurity certification authorities (NCCAs) following assessments conducted by accredited third-party conformity assessment bodies (CABs).
Certification is split into two levels of assurance: ‘substantial’ and ‘high’, with the latter applied to products with higher risk profiles and entailing more rigorous vulnerability assessments.
Bug Bounty a best-practice method
The European Union Agency for Cybersecurity (ENISA) published EUCC Guidelines on Vulnerability Management and Disclosure to coincide with the scheme’s commencement.
In accordance with ISO/IEC 30111:2019, this document explains how EUCC certificate holders can “maintain and publish appropriate methods for receiving information on vulnerabilities related to their products from external sources, including users, certification bodies and security researchers”.
Certificate holders must publish contact information for reporting suspected vulnerabilities, such as through a security.txt file. A non-exhaustive list of applicable methods for obtaining information about potential vulnerabilities cited by the document include Bug Bounty Programs, dark web monitoring and tracking vulnerability disclosure platforms.
Vulnerability impact analysis
When a certificate holder becomes aware of a suspected vulnerability, they must perform a detailed vulnerability impact analysis to ascertain whether the bug is new, if it poses a legitimate security risk, its severity, and its potential impact on the certified product’s conformity. Vulnerability impact analysis reports should be retained for at least five years.
Validated vulnerabilities must be mitigated promptly. If the vendor becomes aware of potential active exploitation, they should notify the certification body and prioritise impact assessment and risk mitigation.
Exploit information must be handled in accordance with FIRST’s Traffic Light Protocol (TLP) or EUCC’s 'Minimum Site Security Requirements'.
Certificate holders are also instructed to adhere to ISO/IEC 29147, related to vulnerability disclosure.
The guidelines detail the responsibilities of certification bodies, national cybersecurity certification authorities (NCCAs), and Computer Security Incident Response Teams (CSIRTs) as they pertain to coordinated vulnerability disclosure.
In response to an invitation to comment about the relevance of VDPs, Germany’s Federal Office for Information Security told YesWeHack: “A VDP is a useful method of obtaining information from external sources about vulnerabilities in your own products. This applies not only to EUCC certificate holders, but also to many other companies and institutions.”
A voluntary scheme – but VDPs are now essential
The EUCC is currently a voluntary scheme.
However, The Cyber Resilience Act (CRA), which will apply from 11 December 2027, mandates that vendors of products with digital elements (PDEs) implement VDPs (also known as coordinated vulnerability disclosure or CVD policies) if they want to sell their devices or software in the world’s largest trading bloc. Similar to the EUCC scheme, Bug Bounty Programs are also explicitly referenced as a vehicle for fulfilling CVD obligations by the CRA.
So whether they certify their products under the EUCC scheme or not, vendors of digital products can ill afford to overlook best practices for vulnerability disclosure and management – and those best practices unequivocally include VDPs and Bug Bounty Programs.
Strengthen your security posture
Bug bounty Programs from YesWeHack, which crowdsource the continuous testing of in-scope assets and risk-based prioritisation of the most critical vulnerabilities, are aligned with the EUCC’s emphasis on early detection and prompt remediation.
A VDP meanwhile is prescribed by the standards that the ENISA guidelines for vulnerability management and disclosure are based on: ISO 29147 and ISO 30111.
YesWeHack can help you create a branded VDP aligned with industry best practices, such as end-to-end encryption, and integrate it into your website. The product also offers a unified interface for receiving reports, and a triage service that evaluates the severity of vulnerabilities and ensures you receive only valid, actionable reports.