Skip to main content

Communicating Software Vulnerabilities and Fixes to Users and Authorities

Fixing a vulnerability in your app or game is only part of the job under the Cyber Resilience Act (CRA). You also have responsibilities to communicate this information effectively.

Disclosing Fixed Vulnerabilities

Once a security update is available, Annex I, Part II, point (4), requires manufacturers to "share and publicly disclose information about fixed vulnerabilities". This disclosure should include:

  • A description of the vulnerability.
  • Information allowing users to identify the affected software (e.g., product name, version).
  • The impacts of the vulnerability.
  • Its severity.
  • Clear, accessible information helping users remediate (e.g., install the update).

The CRA allows a delay in public disclosure in "duly justified cases" if the security risks of immediate publication outweigh the benefits, but only until users have had a chance to apply the patch.

Informing Users About Updates and Risks

When you release a security update, Annex I, Part II, point (8), mandates that it should be "accompanied by advisory messages providing users with the relevant information, including on potential action to be taken". This means clear release notes or notifications.

Furthermore, for actively exploited vulnerabilities or severe incidents having an impact on the security of your product, Article 14, Paragraph 8, requires you to inform impacted users (and where appropriate, all users) about the issue and any mitigation or corrective measures they can deploy.

Reporting to Authorities

Beyond user communication, Article 14 lays out mandatory reporting obligations to CSIRTs (Computer Security Incident Response Teams) and ENISA (European Union Agency for Cybersecurity) for:

  • Actively exploited vulnerabilities (Article 14, Paragraph 1).
  • Severe incidents having an impact on the security of the product (Article 14, Paragraph 3). Specific timelines and information requirements apply here (Article 14, Paragraphs 2 and 4).

Key Takeway

The CRA requires transparent communication about software vulnerabilities and their fixes. This includes public disclosure of fixed issues, clear advisories to users about updates, and mandatory reporting of severe incidents and actively exploited vulnerabilities to designated authorities.