Skip to main content

Vulnerability Management for Apps: Updates & Responsible Disclosure

Shipping your app is just the beginning under the EU Cyber Resilience Act (CRA). Ongoing vulnerability management is a core obligation for app developers.

Lifelong Security Commitment (During Support Period)

The CRA mandates that manufacturers (that's you, the app developer) handle vulnerabilities effectively throughout the app's defined "support period" (Article 13, Paragraph 8). This is detailed in Annex I, Part II, "Vulnerability handling requirements".

Key Actions for App Developers

  1. Identify & Document Components: Know what's in your app, including all SDKs and libraries. A Software Bill of Materials (SBOM) is crucial here (Annex I, Part II, Point 1).
  2. Remediate Vulnerabilities Promptly: When a vulnerability is found in your app or an integrated component, fix it "without delay" by providing security updates (Annex I, Part II, Point 2). The CRA suggests separating security updates from feature updates where feasible.
  3. Regular Security Testing: Continuously test and review your app's security (Annex I, Part II, Point 3).
  4. Coordinated Vulnerability Disclosure (CVD) Policy: Establish and enforce a policy for how security researchers and users can report vulnerabilities to you (Annex I, Part II, Point 5). This policy should be easily accessible.
  5. Facilitate Reporting: Provide a clear contact address for vulnerability reporting (Annex I, Part II, Point 6; Annex II, Item 2).
  6. Secure Update Distribution: Ensure your mechanism for delivering updates (e.g., through app stores, or direct download) is secure to prevent tampering (Annex I, Part II, Point 7).
  7. Inform Users About Fixed Vulnerabilities: After a patch is available, publicly disclose information about the fixed vulnerability, its impact, and how users can apply the update (Annex I, Part II, Point 4).
  8. Free and Timely Updates: Security updates must be disseminated without delay and free of charge (Annex I, Part II, Point 8).

Support Period

You must define and communicate the support period for your app (Article 13, Paragraph 8, 19). This should reflect its expected use time, with a minimum of five years unless a shorter period is justifiable (e.g., an event-specific app).

Key Takeway

The CRA requires a structured, ongoing process for managing vulnerabilities in your app. This includes identifying issues, patching them promptly and securely, and clearly communicating with users about vulnerabilities and updates throughout the app's stated support period. A public CVD policy is essential.