Skip to main content

Annex I, Part II, Req 6: Facilitating Sharing of Potential Software Vulnerability Info

Security is a shared responsibility, and the EU Cyber Resilience Act (CRA) encourages communication about potential weaknesses. Annex I, Part II, Point 6 requires manufacturers to "take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements".

What This Means for You

  1. Provide a Reporting Channel:
    • You must have a clear, easily discoverable way for anyone (users, security researchers, other developers) to report potential vulnerabilities they find in your software.
    • This is typically a dedicated email address (e.g., [email protected]) or a web form on your website.
    • This contact address is also a required piece of user information under Annex II, Item 2.
  2. Facilitate, Not Just Receive:
    • "Take measures to facilitate" implies more than just having an inbox. It suggests you should be receptive to such reports and have a process for handling them.
    • This ties directly into your Coordinated Vulnerability Disclosure (CVD) policy (Annex I, Part II, Point 5), which should outline how you'll work with reporters.
  3. Covers Your Product and Its Components:
    • This applies to vulnerabilities in the code you wrote for your app or game.
    • It also applies to vulnerabilities found in third-party components (SDKs, libraries) that are part of your product. If someone reports a flaw in a library your software uses, which in turn makes your software vulnerable, that information needs a channel to reach you. You then have a responsibility to address it, potentially by updating the library or reporting it to the library maintainer (Article 13, Paragraph 6).

Building Trust

Providing a clear channel for vulnerability reporting demonstrates a commitment to security and encourages responsible disclosure, allowing you to fix issues before they are widely exploited.

Key Takeway

Under Annex I, Part II, Point 6 of the CRA, you must make it easy for people to report potential vulnerabilities in your software and its components. This means providing a clear contact address and having processes (like your CVD policy) to manage these reports effectively.