The CRA will be a game-changing regulation for software and connected product security. The CRA imposes cybersecurity requirements for manufacturers of software and connected products sold in the EU market (regardless of where the manufacturer is located). Below are some of the requirements around the handling and reporting of vulnerabilities in connected devices and their software:
- Establish a coordinated vulnerability disclosure policy (CVD);
- Address and remediate vulnerabilities without delay, including by developing and maintaining processes to ensure regular testing and provide security updates where feasible;
- Report “actively exploited” vulnerabilities to their designated Computer Security Incident Response Team (CSIRT) and to the European Union Agency for Cybersecurity (ENISA);
- Provide a Software Bill of Materials (SBOM) of the most significant software dependencies in the covered products.
The legislative act will next be signed by the presidents of the Council and of the European Parliament and published in the EU’s official journal in the coming weeks. The new regulation will enter into force twenty days after publication with most provisions applying three years after entering into force. Certain requirements like vulnerability reporting will kick in within 21 months.
HackerOne’s advocacy helped drive notable improvements to the CRA, including (1) enhanced protections for good-faith security researchers from mandatory vulnerability reporting and (2) provisions encouraging EU states to protect researchers from liability and ensure they are compensated for their efforts. Unfortunately, the CRA requires product manufacturers to disclose actively exploited vulnerabilities regardless of mitigation status or guardrails for how government agencies may use the vulnerabilities. HackerOne will continue to work with Member States during the implementation process to seek additional safeguards in this process.
For an in-depth understanding of the vulnerability handling and reporting requirements, dive into HackerOne’s summary.