Step 3: Notify about Vulnerabilities and Incidents

Provide notifications to your community, and EU points of contact, about particular security issues.

Article 24(3) of the CRA references a few other subsections that apply to open-source software stewards. In particular, stewards’ obligations include those in Article 14(1), 14(3) and 14(8) in various circumstances.

Briefly, a project should provide notifications about:

1. any actively exploited vulnerabilities contained in the project; and

2. any severe incidents in the project’s IT systems that affect project security.

These notifications should be provided to the CSIRT coordinator / ENISA, via the EU’s single reporting platform.

Notifications should also be provided to affected users, which for most projects is likely to mean making them generally public.

These notifications should describe the vulnerability or incident, together with relevant mitigation measures available to the users.

Ideally, the notifications should be provided using a structured, machine-readable format. Software bills of materials (SBOMs) may be useful as one aspect of this reporting.