Security vulnerabilities in hardware and software are a global, collective cyber security problem. The advancing digitalisation of the living world, combined with digital arms races, increase vulnerability, especially in industrialised countries. At the same time, offensive cyber actors insist that the exploitation of so-called zero-day (“0-day”) vulnerabilities is essential for military cyber operations, but also for the purpose of espionage and law enforcement.

A constructive approach to this offensive-defensive dilemma that states face when handling 0-day vulnerabilities has not yet been taken in German cyber security policy. The German government should develop a more proactive approach regarding vulnerabilities. It should rethink the practice of state acquisition and use of vulnerabilities, work towards shortening the lifetime of vulnerabilities, and reflect on the negative externalities of an offensive cybersecurity policy. Germany and the EU should cultivate a more open approach to vulnerabilities instead of prioritising secrecy. This includes the introduction of mandatory reporting programmes for private and public organisations, the provision of bug bounty platforms, and the regulation of vulnerability black markets.