CRA Software Vulnerability Handling & Disclosure: An Introduction
The CRA makes it crystal clear: cybersecurity is not just a launch-day concern. It’s an ongoing commitment for the entire support period of your software product (Article 13(8) of the CRA legal text). 'Vulnerability Handling' is a core part of this.
Key Responsibilities (Annex I, Part II of the CRA legal text)
As a manufacturer of games, apps, or other software, you must have robust processes to:
- Identify and Document: Continuously look for vulnerabilities in your product and its components (including third-party and open-source ones). This involves maintaining a Software Bill of Materials (SBOM) (Annex I, Part II, point 1).
- Address and Remediate: Fix identified vulnerabilities without undue delay, typically by providing security updates (Annex I, Part II, point 2). These should ideally be separate from feature updates.
- Coordinated Vulnerability Disclosure: Establish and enforce a policy that allows security researchers and users to report vulnerabilities to you in a structured way (Annex I, Part II, point 5; Recital 76 of the CRA legal text). This includes having a clear contact point.
- Public Disclosure: Once a fix is available, you generally need to publicly disclose information about the fixed vulnerability (Annex I, Part II, point 4).
- Secure Updates: Ensure updates are distributed securely and, where appropriate, free of charge (Annex I, Part II, point 7, 8).
Mandatory Reporting
Crucially, if you become aware of an actively exploited vulnerability in your product, or a severe incident impacting its security, you have strict reporting obligations to ENISA and national CSIRTs, often starting within 24 hours (Article 14 of the CRA legal text). This isn't optional; it's a core tenet of the CRA's approach to improving EU-wide cybersecurity.
Key Takeaway
CRA demands continuous vulnerability management for your software's entire support life, including finding, fixing, and disclosing issues, plus mandatory fast reporting for serious exploits.