Cyber (Dis)armament in Practice: The EU’s Role in Governing Software Vulnerabilities in a Fragmented International Order

Cyber conflict poses fundamental challenges to traditional approaches to disarmament. Cyber capabilities are not discrete weapons, but assemblages of technical and human components, among which software vulnerabilities often serve as critical enablers of access and exploitation. This paper argues that one of the most plausible ways of pursuing cyber ‘disarmament’ in practice lies in the governance of software vulnerabilities, particularly through mechanisms for vulnerability disclosure. In this context, vulnerability disclosure refers to processes through which newly discovered software flaws are reported, assessed and either remediated or managed by vendors, governments and security researchers. Vulnerability disclosure does not eliminate cyber capabilities, but it shapes incentives, constrains windows of exploitation and reduces systemic risk while preserving legitimate security and innovation interests.

The paper proceeds in several steps. It first examines the structure of the global vulnerability ecosystem and the conditions that influence whether vulnerabilities are disclosed, retained or circulated. It then explains why international arms control and cyber norm processes have struggled to meaningfully engage cyber capabilities, including software vulnerabilities. Against this backdrop, the analysis shows how vulnerability governance is displaced towards domestic institutional arrangements that operate upstream of cyber operations. It turns to Europe as a case study, highlighting partial European Union-level harmonization alongside persistent national fragmentation, and concludes with recommendations for strengthening Europe’s vulnerability governance framework.