Cyber Resilience Act (CRA) Vulnerability Handling Checklist
This checklist helps organisations establish and maintain an effective vulnerability management process in line with Cyber Resilience Act requirements and industry best practices.
1. Vulnerability Reporting Process
- ☐ A Vulnerability Disclosure Policy (VDP) is published.
- ☐ A dedicated security contact email is available.
- ☐ Customers can report vulnerabilities.
- ☐ Security researchers can report vulnerabilities.
- ☐ Suppliers and partners can report vulnerabilities.
- ☐ Reporting instructions are publicly available.
- ☐ Report acknowledgements are issued within defined timescales.
2. Vulnerability Intake and Registration
- ☐ All vulnerability reports are logged.
- ☐ Reports receive a unique reference number.
- ☐ Reporter details are recorded.
- ☐ Product and version details are recorded.
- ☐ Evidence and proof-of-concept information are retained.
- ☐ Submission dates and investigation dates are recorded.
3. Risk Assessment
- ☐ Vulnerabilities are reviewed by authorised personnel.
- ☐ Severity ratings are assigned.
- ☐ Business impact is assessed.
- ☐ Exploitability is assessed.
- ☐ Customer impact is evaluated.
- ☐ Regulatory reporting requirements are considered.
4. Active Exploitation Assessment
- ☐ Procedures exist to identify active exploitation.
- ☐ Threat intelligence feeds are monitored.
- ☐ Security alerts are reviewed.
- ☐ Known exploited vulnerabilities are monitored.
- ☐ Escalation procedures are documented.
- ☐ Evidence supporting exploitation assessments is retained.
5. Remediation and Corrective Actions
- ☐ Corrective actions are documented.
- ☐ Security fixes are developed.
- ☐ Mitigations are implemented where fixes are unavailable.
- ☐ Security testing is completed before release.
- ☐ Remediation activities are tracked to closure.
- ☐ Closure approvals are documented.
6. Customer Communications
- ☐ Customers can be notified of security issues.
- ☐ Security advisories are published.
- ☐ Mitigation guidance is available.
- ☐ Update instructions are provided.
- ☐ Customer notifications are retained for audit purposes.
7. Regulatory Reporting
- ☐ Reporting responsibilities are assigned.
- ☐ CRA reporting procedures are documented.
- ☐ Active exploitation assessments are completed promptly.
- ☐ Early warning reports can be submitted within 24 hours.
- ☐ Detailed notifications can be submitted within 72 hours.
- ☐ Final reports can be submitted within required timescales.
8. Record Keeping
- ☐ Vulnerability records are retained.
- ☐ Investigation records are retained.
- ☐ Risk assessments are retained.
- ☐ Customer communications are retained.
- ☐ Remediation evidence is retained.
- ☐ Regulatory reports are retained.
9. Management Oversight
- ☐ Vulnerability metrics are reviewed regularly.
- ☐ Open vulnerabilities are monitored.
- ☐ Critical vulnerabilities receive priority treatment.
- ☐ Lessons learned are documented.
- ☐ The vulnerability management process is reviewed annually.
CRA Reporting Deadlines
| Requirement | Timeline |
|---|---|
| Early Warning Notification | Within 24 Hours |
| Detailed Notification | Within 72 Hours |
| Final Vulnerability Report | Within 14 Days of Corrective Measure Availability |
| Final Incident Report | Within 1 Month |
Recommended Security Contact Information
Email: [email protected]
Alternative Email: [email protected]
Reporting Portal: https://yourcompany.com/security-reporting
