No cyber resilience without open source sustainability

GitHub is collaborating with the open source community to influence the EU's Cyber Resilience Act (CRA), aiming to enhance the cybersecurity of digital products, including those containing open source software, by enforcing stringent requirements on vendors. However, concerns arise as the CRA, while exempting open source developed outside commercial activities, may inadvertently threaten open source sustainability by regulating projects receiving donations, those with corporate developers, and potentially disrupting coordinated vulnerability disclosure processes. The current legislative text could impose burdensome compliance obligations on open source projects if corporate employees contribute, possibly leading to reduced corporate involvement and innovation in open source. Additionally, the requirement for immediate vulnerability disclosure could undermine established practices that limit exposure of unpatched vulnerabilities. As the ITRE Committee prepares to vote on the CRA, GitHub urges stakeholders to engage with policymakers to ensure the final legislation effectively supports open source's unique development model and resilience.