{"id":9094,"date":"2026-05-23T08:06:05","date_gmt":"2026-05-23T08:06:05","guid":{"rendered":"https:\/\/godshand.link\/ground_post\/cyber-disarmament-in-practice-the-eus-role-in-governing-software-vulnerabilities-in-a-fragmented-international-order\/"},"modified":"2026-05-23T08:06:05","modified_gmt":"2026-05-23T08:06:05","slug":"cyber-disarmament-in-practice-the-eus-role-in-governing-software-vulnerabilities-in-a-fragmented-international-order","status":"publish","type":"ground_post","link":"https:\/\/godshand.link\/en_gb\/ground_post\/cyber-disarmament-in-practice-the-eus-role-in-governing-software-vulnerabilities-in-a-fragmented-international-order\/","title":{"rendered":"Cyber (Dis)armament in Practice: The EU\u2019s Role in Governing Software Vulnerabilities in a Fragmented International Order"},"content":{"rendered":"<p><br \/>\n<\/p>\n<section class=\"content column\">\n<div class=\"highlighted\">\n<div data-drupal-messages-fallback class=\"hidden\"><\/div>\n<\/div>\n<p>    <a target=\"_blank\" id=\"main-content\"><\/a><\/p>\n<div id=\"sipri-2016-breadcrumbs\" class=\"block block-system\">\n<nav role=\"navigation\" aria-labelledby=\"system-breadcrumb\">\n<h2 class=\"visually-hidden\">Breadcrumb<\/h2>\n<p>\t\t\t\t\t\t<span><br \/>\n          \t\t            \t\t<a target=\"_blank\" href=\"https:\/\/www.sipri.org\/publications\/search\">Publications search<\/a><br \/>\n\t\t\t\t\t<\/span><\/p>\n<\/nav><\/div>\n<div id=\"sipri-2016-page-title\" class=\"block block-core\">\n<h1>\n<span>Cyber (Dis)armament in Practice: The EU\u2019s Role in Governing Software Vulnerabilities in a Fragmented International Order<\/span><br \/>\n<\/h1>\n<\/p><\/div>\n<div class=\"views-element-container block block-views\" id=\"views-block-publications-block-4\">\n<div>\n<div class=\"js-view-dom-id-664bac063b23d2778744062ad14d80d6d0d39929feb45c8202cc29bea22e4f74\">\n<div class=\"views-row\">\n<div class=\"views-field views-field-field-image\">\n<div class=\"field-content\">  <img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.sipri.org\/sites\/default\/files\/styles\/publications_lareg\/public\/2026-05\/eunpdc_no_100_cyber_disarmament_cover.png?itok=0iMYylQs\" width=\"290\" height=\"435\" alt=\"EUNPDC_100_cover\"><\/p>\n<\/div>\n<\/div>\n<div class=\"views-field views-field-view\"><span class=\"field-content\"><\/p>\n<div class=\"js-view-dom-id-919f49b8994f36ba92033e13b2d95fa06120ea24fcf93e140aa73dc4c85fa369\">\n<p> <span class=\"_880 views-row\"><br \/>\n  <span class=\"views-field views-field-title\"><span class=\"field-content\"><a target=\"_blank\" href=\"https:\/\/www.sipri.org\/about\/bios\/eugenio-benincasa\" hreflang=\"en\">Eugenio Benincasa<\/a><\/span><\/span><\/span><\/p>\n<\/div>\n<p><\/span><\/div>\n<div class=\"views-field views-field-field-year-of-publication\">\n<div class=\"field-content\">May 2026<\/div>\n<\/div>\n<div class=\"views-field views-field-field-publisher-loaction\">\n<div class=\"field-content\">Stockholm<\/div>\n<\/div>\n<div class=\"views-field views-field-field-publisher-name\">\n<div class=\"field-content\">SIPRI<\/div>\n<\/div>\n<div class=\"views-field views-field-field-doi\">\n<p class=\"field-content\"><a target=\"_blank\" href=\"https:\/\/doi.org\/10.55163\/\">https:\/\/doi.org\/10.55163\/<\/a><\/p>\n<\/div><\/div>\n<\/div>\n<\/div><\/div>\n<div id=\"sipri-2016-content\" class=\"block block-system\">\n<div data-history-node-id=\"7881\" class=\"node node--type-publication node--view-mode-full ds-1col clearfix\">\n<div class=\"field-pdf-full-publication field--label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item button_style\">\n\t<a target=\"_blank\" href=\"https:\/\/www.sipri.org\/sites\/default\/files\/2026-05\/eunpdc_no_100_cyber_disarmament.pdf\">DOWNLOAD FULL PUBLICATION<\/a>\n      <\/div><\/div>\n<\/div>\n<div class=\"body field--label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item\">\n<p>Cyber conflict poses fundamental challenges to traditional approaches to disarmament. Cyber capabilities are not discrete weapons, but assemblages of technical and human components, among which software vulnerabilities often serve as critical enablers of access and exploitation. This paper argues that one of the most plausible ways of pursuing cyber \u2018disarmament\u2019 in practice lies in the governance of software vulnerabilities, particularly through mechanisms for vulnerability disclosure. In this context, vulnerability disclosure refers to processes through which newly discovered software flaws are reported, assessed and either remediated or managed by vendors, governments and security researchers. Vulnerability disclosure does not eliminate cyber capabilities, but it shapes incentives, constrains windows of exploitation and reduces systemic risk while preserving legitimate security and innovation interests.<\/p>\n<p>The paper proceeds in several steps. It first examines the structure of the global vulnerability ecosystem and the conditions that influence whether vulnerabilities are disclosed, retained or circulated. It then explains why international arms control and cyber norm processes have struggled to meaningfully engage cyber capabilities, including software vulnerabilities. Against this backdrop, the analysis shows how vulnerability governance is displaced towards domestic institutional arrangements that operate upstream of cyber operations. It turns to Europe as a case study, highlighting partial European Union-level harmonization alongside persistent national fragmentation, and concludes with recommendations for strengthening Europe\u2019s vulnerability governance framework.<\/p>\n<\/div><\/div>\n<\/div>\n<div class=\"field-contents field--label-above\">\n<div class=\"label\">Table of contents<\/div>\n<div class=\"field-items\">\n<div class=\"field-item\">\n<p class=\"p2\">I. Introduction<\/p>\n<p class=\"p2\">II. The emergence of a global vulnerability ecosystem<\/p>\n<p class=\"p2\">III. The limits of arms control frameworks in governing cyber capabilities<\/p>\n<p class=\"p2\">IV. Vulnerability governance as domestic institutional practice<\/p>\n<p class=\"p2\">V. Multi-level and fragmented vulnerability governance in the EU<\/p>\n<p class=\"p2\">VI. Recommendations for strengthening vulnerability governance in Europe<span class=\"Apple-tab-span\">\u00a0<\/span><\/p>\n<p class=\"p2\">VII. Conclusion<\/p>\n<\/div><\/div>\n<\/div>\n<div>\n<h3>ABOUT THE AUTHOR(S)\/EDITORS<\/h3>\n<div class=\"dynamic-block-fieldnode-commentary-about-the-authors field--label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item\">\n<div class=\"views-element-container\">\n<div class=\"js-view-dom-id-8d0fee22545ab32ca31f2ca76fb8f726ddaf9d2debf796dc4341b14350d0f5bc\">\n<div class=\"views-row\">\n<div class=\"views-field views-field-field-image\">\n<div class=\"field-content\">  <a target=\"_blank\" href=\"https:\/\/www.sipri.org\/about\/bios\/eugenio-benincasa\" hreflang=\"en\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.sipri.org\/sites\/default\/files\/styles\/thumbnail\/public\/default_images\/Logo_black.jpg?itok=_ysXWhz8\" width=\"100\" height=\"100\" alt=\"Default profile image\"><\/p>\n<p><\/a>\n<\/div>\n<\/div>\n<div class=\"views-field views-field-body\">\n<div class=\"field-content\"><a target=\"_blank\" href=\"https:\/\/www.sipri.org\/about\/bios\/eugenio-benincasa\" hreflang=\"en\">Eugenio Benincasa<\/a> is a Senior Cyber Defense Researcher at the Center for Security Studies, ETH Z\u00fcrich.\n   <\/div>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/div><\/div>\n<\/div><\/div>\n<p><a target=\"_blank\" id=\"back-to-top\" href=\"#\" class=\"btn btn-primary btn-lg back-to-top\" role=\"button\" title=\"Click to return to the top of the page\" data-toggle=\"tooltip\" data-placement=\"left\"><br \/>\n<i class=\"fa fa-chevron-circle-up fa-4x\" aria-hidden=\"true\"><\/i><\/a><br \/>\n  <\/section>\n<p><br \/>\n<br \/><a href=\"https:\/\/www.sipri.org\/publications\/2026\/eu-non-proliferation-and-disarmament-papers\/cyber-disarmament-practice-eus-role-governing-software-vulnerabilities-fragmented-international?rand=6456\" target=\"_blank\">Source link <\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Breadcrumb Publications search Cyber (Dis)armament in Practice: The EU\u2019s Role in Governing Software Vulnerabilities in a Fragmented International Order Eugenio Benincasa May 2026 Stockholm SIPRI https:\/\/doi.org\/10.55163\/ DOWNLOAD FULL PUBLICATION Cyber conflict poses fundamental challenges to traditional approaches to disarmament. Cyber capabilities are not discrete weapons, but assemblages of technical and human components, among which software vulnerabilities often serve as critical&hellip;<\/p>","protected":false},"author":99090,"featured_media":9095,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","format":"standard","meta":{"give_campaign_id":0,"footnotes":""},"tags":[2234,2548,2549,2554,2551,644,2555,1324,2550,2552,2553],"ground_category":[315,317],"class_list":["post-9094","ground_post","type-ground_post","status-publish","format-standard","has-post-thumbnail","hentry","tag-cyber","tag-disarmament","tag-eus","tag-fragmented","tag-governing","tag-international","tag-order","tag-practice","tag-role","tag-software","tag-vulnerabilities","ground_category-2-grounds-tribulation","ground_category-2-2-time-dispute"],"fifu_image_url":"https:\/\/www.sipri.org\/sites\/default\/files\/2026-05\/eunpdc_no_100_cyber_disarmament_cover.png","_links":{"self":[{"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/ground_post\/9094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/ground_post"}],"about":[{"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/types\/ground_post"}],"author":[{"embeddable":true,"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/users\/99090"}],"replies":[{"embeddable":true,"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/comments?post=9094"}],"version-history":[{"count":0,"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/ground_post\/9094\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/media\/9095"}],"wp:attachment":[{"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/media?parent=9094"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/tags?post=9094"},{"taxonomy":"ground_category","embeddable":true,"href":"https:\/\/godshand.link\/en_gb\/wp-json\/wp\/v2\/ground_category?post=9094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}