ENISA Final Report (14 Days)
Template: Final Report pursuant to Art. 14(2)(c) CRA
1. Reference to Previous Notifications
| Field | Value |
|---|---|
| Early Warning Reference | [EW-YYYY-NNN] dated [Date] |
| Notification Reference | [SM-YYYY-NNN] dated [Date] |
| Final Report Reference | [FR-YYYY-NNN] |
| Date | [YYYY-MM-DD] |
2. Manufacturer Identification
| Field | Value |
|---|---|
| Company | BAUER GROUP |
| Contact Person | [Name, Role] |
| disclosure@cra.docs.bauer-group.com |
3. Summary
[Brief summary of the incident in 3-5 sentences]
4. Complete Timeline
| Date/Time | Event |
|---|---|
| [YYYY-MM-DD HH:MM] | Vulnerability/incident first detected |
| [YYYY-MM-DD HH:MM] | Triage completed, severity confirmed |
| [YYYY-MM-DD HH:MM] | ENISA Early Warning sent |
| [YYYY-MM-DD HH:MM] | Immediate measures implemented |
| [YYYY-MM-DD HH:MM] | ENISA Notification sent |
| [YYYY-MM-DD HH:MM] | Patch developed and tested |
| [YYYY-MM-DD HH:MM] | Patch released (Version X.Y.Z) |
| [YYYY-MM-DD HH:MM] | Users notified |
| [YYYY-MM-DD HH:MM] | Incident assessed as resolved |
5. Root Cause Analysis
Root Cause: [Detailed technical analysis of the root cause of the vulnerability]
How the vulnerability was introduced: [e.g. Coding error, third-party component, configuration error, design weakness]
When the vulnerability was introduced: [Version / date of introduction]
Why it was not detected earlier: [e.g. Not covered by automated scans, new attack vector]
6. Information on Malicious Actors (Art. 14(2)(c)(ii))
| Field | Value |
|---|---|
| Malicious Actor Identified | [Yes / No / Suspected] |
| Type of Attack | [Targeted Attack / Mass Exploitation / Unknown] |
| Known Threat Actors / Groups | [If known, e.g. APT group, campaign name] |
| Indicators of Compromise (IoC) | [IP addresses, hashes, domains – if available] |
| Cooperation with Authorities | [Yes (which) / No / Not applicable] |
7. Affected Products (final)
| Product | Affected Versions | Fixed Version | Users/Devices |
|---|---|---|---|
| [Name] | [v1.0.0 -- v1.3.2] | [v1.3.3] | [Number] |
8. Actions Taken (complete)
| Action | Date | Result |
|---|---|---|
| Immediate containment | [Date] | [Description] |
| Patch development | [Date] | [Version X.Y.Z] |
| Security review | [Date] | [Result] |
| Patch release | [Date] | [Available via: Release, Registry] |
| SBOM updated | [Date] | [New SBOM including fix] |
| User notification | [Date] | [Channel: Advisory, Email] |
| Enhanced monitoring | [Date] | [Description] |
9. Residual Risks
| Risk | Assessment | Mitigation |
|---|---|---|
| [e.g. Not all users have updated] | [Medium] | [Re-notification planned] |
| [e.g. Similar vulnerability in related code] | [Low] | [Proactive review conducted] |
10. Lessons Learned
What went well:
- [e.g. Rapid detection through CVE Monitor]
- [e.g. Patch provided within 24 hours]
What can be improved:
- [e.g. Extended test coverage for the affected area]
- [e.g. Faster user notification]
11. Measures to Prevent Future Incidents
| Measure | Responsible | Deadline |
|---|---|---|
| [e.g. Create additional SAST rule] | [Team] | [Date] |
| [e.g. Tighten dependency policy] | [Team] | [Date] |
| [e.g. Extend monitoring rules] | [Team] | [Date] |
| [e.g. Secure coding training] | [Team] | [Date] |
12. Declaration
We hereby confirm that the information contained in this Final Report is correct and complete to the best of our knowledge and belief.
| Field | Value |
|---|---|
| Name | [Name of the responsible person] |
| Role | [Role] |
| Date | [YYYY-MM-DD] |
| Signature | _________________________ |