Skip to main content

Software Vulnerability Handling Processes Documentation

A huge part of your Cyber Resilience Act (CRA) obligation is demonstrating you have a solid plan for handling vulnerabilities after your software is released. Annex VII, point 2(b), requires you to include "necessary information and specifications of the vulnerability handling processes put in place by the manufacturer" in your Technical Documentation.

What to Document

This section of your documentation should be a clear, practical overview of your vulnerability management program. It must include:

  • The Software Bill of Materials (SBOM): Your Technical Documentation must reference your SBOM. This list of components is fundamental to tracking vulnerabilities in third-party libraries used in your app or game.
  • Coordinated Vulnerability Disclosure (CVD) Policy: Include a copy of or reference to the CVD policy you've established as required by Annex I, Part II, point (5).
  • Contact Address: Evidence of the provision of a contact address for the reporting of vulnerabilities. This is your public-facing channel for security researchers.
  • Secure Update Distribution: A description of the technical solutions you've chosen for the secure distribution of updates. For an app, this might describe your use of official app stores. For desktop software, it would detail your secure auto-updater mechanism, including the use of code signing and HTTPS.

This documentation serves as the blueprint for your ongoing security operations, proving to authorities you have a repeatable and compliant process in place.

Key Takeway

Your Technical Documentation must explicitly detail your vulnerability handling processes. This includes your SBOM, your public CVD policy, your vulnerability reporting channel, and the mechanisms you use to securely deliver patches to users.