Skip to main content

Vulnerability Management for Games: Patching and Updates under CRA

So, you have shipped your game. Job done? Not under the EU Cyber Resilience Act (CRA). One of the biggest shifts the CRA brings is the ongoing responsibility for vulnerability management throughout your game's support period.

Ongoing Responsibility

The CRA is clear: manufacturers (that’s you, the game developer) must handle vulnerabilities effectively and in accordance with essential requirements for a defined "support period" (Article 13, Paragraph 8). This isn't just a suggestion; it's a core part of the regulation (Annex I, Part II).

Key Vulnerability Handling Requirements (Annex I, Part II)

Here's what you need to do:

  1. Identify and Document: Know what components are in your game, including third-party ones. Drawing up a Software Bill of Materials (SBOM) is part of this (Point 1).
  2. Address and Remediate Promptly: When vulnerabilities are found, fix them. This means providing security updates (Point 2). The CRA even suggests that, where technically feasible, security updates should be separate from functionality updates.
  3. Effective Testing: Regularly test and review the security of your game (Point 3).
  4. Publicly Disclose Fixed Vulnerabilities: Once patched, inform your users about fixed vulnerabilities, their impact, and how to remediate (e.g., install the update) (Point 4).
  5. Coordinated Vulnerability Disclosure Policy: Have a clear policy for how people can report vulnerabilities to you (Point 5).
  6. Facilitate Information Sharing: Provide a contact point for vulnerability reporting (Point 6).
  7. Secure Distribution of Updates: Ensure your patching mechanism itself is secure (Point 7).
  8. Timely and Free Security Updates: Disseminate security updates without delay and free of charge, along with advisories (Point 8).

The Support Period

You define the support period, which must reflect how long the game is reasonably expected to be in use, with a minimum of five years unless a shorter period (like the game's actual expected lifetime) can be justified (Article 13, Paragraph 8). You need to document how you determined this period (Annex VII, Point 4).

Key Takeway

The CRA mandates a proactive and ongoing approach to vulnerability management for your games. This includes identifying, remediating, and communicating about vulnerabilities, and providing free, timely security updates throughout the game's defined support period.