On 24/10/2025 08:27, Olle E. Johansson wrote:
On 23 Oct 2025, at 19:09, Piotr P. Karwasz <[email protected]> wrote:
Hi Mark,
On 23.10.2025 14:03, Mark Thomas wrote:
There is currently an expectation in the CRA that a product will not be
released if there are known (by the maintainer) security vulnerabilities
in that product.
That must be a misunderstanding here somewhere. The CRA talks about products
“placed on the market”. I don’t think Open Source counts as that.
This thread started as direct result from a discussion at Code &
Compliance. I'll let Dirk-Willem fill in the details but there is -
currently - an expectation that OSS will not be releasing software with
known vulnerabilities. The purpose of this thread is to collect examples
as to why that might not always be the case so that at be fed back and
the expectation corrected.
The CRA also talks about three categories of vulnerabilities
- known vulnerabilities
- exploitable vulnerabilities
- known exploited vulnerabilities
I think that it says that products should not be placed on the market if the
product - including dependencies - has known exploited vulnerabliities.
No. Annex 1, Part 1, Para 2, point (b): "... without known *exploitable*
vulnerabilities"
It also doesn't define known by whom.
The guidelines has not been published of what this means. A possible
inspiration can be the Technical implementation guide to NIS2 that was
published by ENISA
in June -
https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
I haven’t read it fully, but I glanced over the parts about vulnerability
management
and was not very impressed and a bit shocked. But I guess that is another story.
My real question here is whether the obligation to place a product on the market
without (some level of known) vulnerabilities applies to Open Source?
Directly, no, because Open Source Stewards don't place products on the
market.
However, if you look at the text around attestation programmes you see
phrases like:
"...voluntary security attestation programmes for assessing the
conformity of products with digital elements qualifying as free and
open-source software with all or certain essential
cybersecurity requirements or other obligations laid down in this
Regulation..."
Given that one of the essential cyber security requirements is releasing
without known vulnerabilities, that could apply to OSS if OSS wanted to
use attestations. From a market efficiency point of view, manufacturers
are going to want at least popular OSS dependencies to have attestations
(even if the manufacturers have to fund that themselves).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
