Skip to main content

Annex I, Part II, Req 4: Publicly Disclosing Fixed Software Vulnerabilities

Transparency is a key theme in the EU Cyber Resilience Act (CRA). Once you've fixed a security vulnerability in your software, you need to tell people about it. Annex I, Part II, Point 4 requires manufacturers to, "once a security update has been made available, share and publicly disclose information about fixed vulnerabilities...".

What to Disclose

The disclosure should include:

  1. Description of the Vulnerability: What was the flaw?
  2. Product Identification: Which versions of your software were affected?
  3. Impacts of the Vulnerability: What could an attacker do if they exploited it?
  4. Severity: How serious was it (e.g., using CVSS scoring if appropriate)?
  5. Remediation Information: Clear, accessible information on how users can fix it (e.g., "Install update X.Y.Z available from [link/app store]").

Timing of Disclosure: After the Update is Available

The requirement specifies disclosure "once a security update has been made available." This is crucial. You provide the fix first, then you detail the problem. This prevents attackers from learning about a vulnerability before users have a chance to protect themselves.

Exception for Delayed Disclosure

The CRA allows for a delay in public disclosure "in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits...until after users have been given the possibility to apply the relevant patch." This might apply if, for example, an immediate full disclosure could inadvertently help attackers craft exploits faster than users can patch, but the expectation is still to disclose once that immediate risk subsides.

How to Disclose

This could be through:

  • Security advisories on your website.
  • Release notes for the update.
  • Contributions to public vulnerability databases (e.g., CVE program), as ENISA may also add notified vulnerabilities to the European vulnerability database (Article 17, Paragraph 5).

Key Takeway

As per Annex I, Part II, Point 4 of the CRA, after you release a security update, you must publicly disclose details about the vulnerability that was fixed. This includes what it was, its impact, and how users can apply the fix. Disclosure generally happens after the patch is out.