Under the CRA, handling vulnerabilities isn’t just good practice, it’s the law. Manufacturers have to detect, document, fix, and report exploited vulnerabilities within 24 hours (!), plus submit final reports in just 14 days. Oh, and notify users too, preferably in a machine-readable format.
Annex I Part II gives the high-level rules, and Articles 14–16 lay out the detailed reporting timelines and the new ENISA-managed single reporting platform.
How are you planning to manage this? Coordinated disclosure? Automation pipelines? Manual triage?
Let’s use this thread to unpack what these obligations mean in practice, especially for small teams, FOSS maintainers, and companies without a dedicated Computer Emergency Response Team.