Skip to main content

How to Handle an "Actively Exploited" Vulnerability Report for Your Software

Receiving a report that a vulnerability in your app or game is being actively exploited in the wild is one of the most serious situations you can face under the Cyber Resilience Act (CRA). You need a clear plan of action.

Step 1: Immediate Triage and Confirmation (Hours 0-1)

  • Confirm the Report: Immediately verify if the report is credible. Can you reproduce the exploit? Is there evidence of active exploitation?
  • Assemble Your Team: Get your key technical and management people on a call. This is an all-hands-on-deck situation.

Step 2: Start the Reporting Clock (Hours 1-24)

  • Article 14 is Live: The moment you "become aware" of the active exploit, the CRA's mandatory reporting clock starts.
  • 24-Hour Early Warning: You have 24 hours to submit an "early warning notification" to the CSIRT designated as coordinator and ENISA via the single reporting platform (Article 14, Paragraph 2a). This initial report can be brief but must be timely.

Step 3: Assess Impact and Communicate (Hours 1-48)

  • Assess the Damage: How many users are affected? What data is at risk? Is the exploit widespread?
  • Inform Users: Article 14, Paragraph 8, requires you to inform impacted users about the incident and any immediate mitigation steps they can take (e.g., changing passwords, temporarily disabling a feature in your app).
  • 72-Hour Notification: You have 72 hours from awareness to provide a more detailed "vulnerability notification" to authorities, including any corrective measures taken (Article 14, Paragraph 2b).

Step 4: Develop, Test, and Deploy the Patch

  • Top Priority: Developing a fix for an actively exploited vulnerability should be your engineering team's number one priority.
  • Rapid but Safe Deployment: While speed is critical, you must still test the patch to ensure it works and doesn't cause other major issues. Use your secure update distribution mechanism to get it to users "without delay".

Step 5: Final Reporting and Post-Mortem

  • Final Report to Authorities: No later than 14 days after the fix is available, you must submit a final, detailed report to the authorities (Article 14, Paragraph 2c).
  • Learn from the Incident: Conduct a thorough post-mortem to understand how the vulnerability was introduced and how your response could be improved. Update your risk assessment.

Key Takeway

When a vulnerability in your software is actively exploited, you must act immediately on three fronts: technical (fixing the issue), communication (informing users), and regulatory (meeting the strict 24/72-hour reporting deadlines in Article 14 of the CRA).