France’s 2023 Military Programming Law now requires all software publishers, including foreign ones, to report significant vulnerabilities to the national authority and to users.
You might think that the French Military Programming Law (LPM) only concerns the army, but it’s not. The new edition of the LPM brings its share of obligations for some civilian stakeholders, including software publishers.
What is the French LPM 2024-2030?
The Military Programming Law (LPM) is a law that lays down provisions relating to France’s national defense, such as military spending. The latest edition was promulgated on August 1, 2023, and covers the next 7 years, i.e. 2024 to 2030. The official text of the LPM is available on Légifrance.
So, what does this have to do with software publishers? Well, it’s quite simple: the cybersecurity component has its share of new measures, including one that directly concerns all software publishers operating in France. Yes, all of them.
Software publishers: an obligation to notify all significant vulnerabilities to the French National Security Agency (ANSSI)…
Article 66 of the LPM 2023 introduces a new article into the French Defense Code, known as L. 2321-4-1. Here are the first lines:
“In the event of a significant vulnerability affecting one of their products, or in the event of an IT incident compromising the security of their information systems likely to significantly affect one of their products, software publishers shall notify the National Cybersecurity Agency of France of this vulnerability or incident, together with an analysis of its causes and consequences. […]” – French Defense Code, Article L. 2321-4-1
To recap, software publishers must therefore :
- notify the national authority, the ANSSI
- in the event of a significant vulnerability in a product
- OR in the event of an incident affecting their IS and likely to significantly affect a product. An incident is defined here as “any event that compromises the availability, authenticity, integrity or confidentiality of data”.
- and provide an analysis of the root causes and consequences of the vulnerability or incident
… and to users!
And since good news never comes alone, the LPM 2023 introduces a twofold response obligation. This goes for the ANSSI, but also for the users of the product affected by a significant vulnerability. Here again, we’re just paraphrasing the legal text:
“Software publishers must inform users of this product, within a timeframe set by the National Cybersecurity Agency of France and determined on the basis of urgency, risks to national defense and security, and the time required for publishers to take corrective measures.”
It is therefore up to ANSSI to set the deadline for notifying users.
Or the French authority will disclose it for you
If you thought you could ignore this obligation to notify users without any consequences, you’re mistaken. The LPM 2023 provides for sanctions for offenders.
“Failing this, the French National Cybersecurity Agency can order software publishers to provide this information. It may also inform users or make public this vulnerability or incident, as well as its injunction to the publishers if it has not been enforced.” – French Defense Code, Article L. 2321-4-1
In other words: if you don’t inform your users yourself, the ANSSI will do it for you. This public disclosure may even come with a note explaining to your customers that you didn’t fulfill your obligations. So the real question here is: who do you prefer to notify your users, your legal and public relations departments, or the French authority?
Which software publishers are affected?
Let’s put it simply: this applies to ALL software publishers who produce or distribute a software product in France (or have it produced or distributed). It doesn’t matter what size the company is, where its head office is located, or whether the software is distributed as SaaS or On-Prem, for a profit or free of charge.
The LPM 2023 couldn’t be clearer on the subject:
“This obligation applies to publishers who provide this product:
- On French territory ;
- To companies headquartered in France;
- Or to companies controlled, within the meaning of Article L. 233-3 of the French Commercial Code, by companies having their registered office in France.”
Straightforward and effective. The mesh is set up in such a way that no publisher with a presence in France can slip through, from foreign GAFAMs to local businesses.
LPM 2024-2030: when will it come into force?
The new LPM was officially adopted in mid-July 2023, and promulgated on August 1, 2023.
Concretely, what are the timeframes for software publishers’ reporting obligations to ANSSI?
For now, it is difficult to answer this question. The LPM 2023 stipulates that a Conseil d’Etat decree will set out the application of Article L. 2321-4-1 concerning software publishers. So, wait & see. But without getting too far ahead of ourselves, we can already assume that the sooner the better.
The most zealous among you can take inspiration from the response obligations to the competent authority introduced by the European NIS2 Directive. After all, the reporting timeframes brought in by LPM 2023 are unlikely to be stricter than those dictated by NIS2, which addresses sensitive entities. If you’d like to delve deeper into this, you’ll find a section covering response obligations in our NIS2 compliance guide.
And what about vulnerability remediation?
As it stands, the LPM 2023 does not set out an obligation to remediate discovered vulnerabilities, even if this is indeed the objective. After all, notifying the ANSSI and users is not an end in itself.
Ideally, software publishers who become aware of a significant vulnerability should start working on a patch as soon as possible. Letting the general public know that a product is still subject to an exploitable CVE isn’t exactly a good idea. An unscrupulous actor could take advantage of the situation to attack.
To balance user awareness and security needs, we can only advise you to adopt a Responsible Disclosure policy.
Notifying users: embrace Responsible Disclosure
Responsible Disclosure is a broad topic that deserves a full coverage, but the general idea is simple.
With Responsible Disclosure, companies and organizations commit to notifying users of potential vulnerabilities in a product, but not before a patch is available. Users can then proceed with corrective measures, without being at the mercy of an exploitable CVE.
In France, the LPM 2023 makes public disclosure official for software publishers and significant vulnerabilities. They have no choice, and must inform their users as soon as possible. This means it is no longer possible to ignore a security problem indefinitely. And if the infosec community is still divided on the attitude to adopt when it comes to disclosure, Responsible Disclosure has become a matter of course for many. It respects the injunction to communicate with users, while ensuring their ongoing security.
A process stemming from the relationship between companies and ethical hackers
Responsible Disclosure is a process, and a state of mind, born out of the relationship between companies and ethical hackers. While some hackers wanted to expose vulnerabilities in the public arena to warn users, some organizations preferred to keep them under wraps indefinitely. Generally speaking, neither attitude serves the public interest or the overall security of society.
Responsible disclosure has emerged as a good compromise, satisfying both the general interest and that of all stakeholders. This process is sometimes referred to as Coordinated Vulnerability Disclosure, or CVD. If you’d like to dig deeper into the subject, we recommend reading one of the leading documents on the topic: Carnegie Mellon University’s CERT Guide to Coordinated Vulnerability Disclosure.
Reporting is good, detection is better
Everyone knows the saying “what you don’t know can’t hurt you.” That’s probably true for a lot of things, but certainly not in cybersecurity. When it comes to vulnerabilities, what you don’t know could one day bring you trouble – a lot of trouble.
Software publishers are particularly concerned by this, for the simple reason that they produce software. It’s all in the name, after all. And where there’s software, there’s vulnerabilities: no digital asset is completely free of security flaws, that’s the cold hard truth. But that doesn’t mean you should accept your fate and deploy products riddled with CVEs.
You have to reduce the risk by identifying and remediating as many vulnerabilities as possible in your information system and products. It is crucial to spot your own weaknesses before cybercriminals do, so that you can correct them as quickly as possible. The security of your users, your reputation and – let’s face it – your bread and butter are at stake.
Offensive Security for software publishers
This is where Offensive Security comes in. The idea behind OffSec is simple: to put yourself in the position of an attacker to identify exploitable vulnerabilities. And at Yogosha, this has been our specialty since 2015.
This article is already long enough, so we’ll cut to the chase. We offer two distinct approaches to offensive security:
- Pentest as a Service: a security audit launched in less than a week for a flat fee. Uncover most of the vulnerabilities in a product and assess its security level at a given point in time, or schedule several pentests throughout your development life cycle as part of a DevSecOps approach.
- Bug Bounty: a hunt for in-depth vulnerabilities with the elite hackers of the Yogosha Strike Force. Identify the most critical vulnerabilities on a pay-per-result basis. No vulnerabilities = no expenses, you only reward exploitable results.
LPM 2024-2030 and software publishers: key points to remember
The French Military Programming Law (LPM) 2024-2030 now requires all software publishers to:
- notify the French National Cybersecurity Agency (ANSSI)
- in the event of a significant vulnerability in a product
- OR in the event of an incident affecting their information system and likely to significantly affect a product
- AND provide an analysis of the root causes and consequences of the vulnerability or incident
- AND inform product users as soon as possible.
All publishers who produce and distribute software in France are concerned – yes, all of them.
In the meantime, we recommend that software publishers :
- draft an incident response plan, if they have not already done so;
- implement a Responsible Disclosure policy;
- implement vulnerability detection measures, such as the Offensive Security testing offered by Yogosha – i.e. Pentest as a Service and Bug Bounty;
- look into vulnerability management, and in particular the CVSS system, which assesses risk by assigning a score to vulnerabilities according to their potential impact. All vulnerabilities identified as part of our testings are automatically centralized and prioritized by CVSS score on our Vulnerability Operations Center platform.