Skip to main content

Got a Vulnerability? Your Software's Single Point of Contact

Security is a team sport, and your users can be valuable players in identifying weaknesses. The Cyber Resilience Act mandates that you establish a clear, single point of contact for reporting and receiving information about vulnerabilities in your software (Annex II, point 2).

What's Required

You need to tell your users:

  • The Single Point of Contact: How can they report a potential vulnerability they've found in your game, app, or software library? This should be a dedicated and easily findable channel.
  • Coordinated Vulnerability Disclosure Policy: Where can users find your policy on how you handle reported vulnerabilities? This policy should detail your process for receiving, assessing, and addressing vulnerability reports.

This information should be readily accessible, for instance, on your website, within the software's support section, or in its documentation.

Why It's Crucial for Software

Software, by its nature, can have vulnerabilities. Encouraging responsible disclosure through a clear channel helps you identify and fix issues faster, before they can be widely exploited. This applies to all software, from simple apps to complex game engines.

Key Takeaway

Establish and clearly communicate a single point of contact for vulnerability reporting and the location of your coordinated vulnerability disclosure policy. This is a direct requirement from Annex II, point 2, designed to make your software more secure through collaboration.