Skip to main content

Setting Up Channels for Receiving Software Vulnerability Reports

The Cyber Resilience Act (CRA) requires you to make it easy for people to tell you about potential security weaknesses in your app, game, or software. This isn't just good practice; it's a specific obligation.

Single Point of Contact

Article 13, Paragraph 17, mandates that manufacturers "shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on vulnerabilities". This point of contact must be easily identifiable by users and included in your user instructions (detailed in Annex II). Recital 63 adds that this contact point should not rely exclusively on automated tools, meaning a real human or a direct human-monitored channel should be accessible.

Facilitating Information Sharing

Annex I, Part II, point (6), further requires you to "take measures to facilitate the sharing of information about potential vulnerabilities... including by providing a contact address for the reporting of the vulnerabilities discovered". This contact address is a core part of your Coordinated Vulnerability Disclosure policy.

Practical Channels for Your Software

For developers of apps, games, or software libraries, effective channels could include:

  • Dedicated Email Address: A clearly advertised email like [email protected].
  • Contact Form: A specific form on your website for security reports.
  • Help Desk Integration: If you have a support system, ensure it can route security reports appropriately and confidentially.
  • Bug Bounty Platforms: If you use services like HackerOne or Bugcrowd, these act as managed reporting channels.

Ensure these channels are monitored, and that reporters receive timely acknowledgments. The goal is to make reporting straightforward, so you get the information you need to fix issues.

Key Takeway

The CRA requires you to establish a clear, easily accessible single point of contact for vulnerability reporting for your software. This should be well-publicized and allow for direct communication.