Chapter 3: Vulnerability Management
3.1 Overview
Vulnerability management is one of the core obligations under the CRA. Manufacturers must identify, assess, remediate, and report vulnerabilities in their products throughout the entire support period.
LEGAL BASIS
Art. 10(6) CRA: The manufacturer shall have effective and regular procedures in place to identify vulnerabilities in the product.
Annex I, Part II, No. 2: The manufacturer shall identify and document the vulnerabilities and components of the product and remediate known vulnerabilities without delay.
3.2 Process Architecture
+---------------------+
| SBOM (per release) |
+----------+----------+
|
+----------+----------+----------+----------+
v v v v v
+--------------+ +--------+ +--------+ +--------+ +--------+
|CVE Monitoring| |Dependa-| | Trivy | | OSV- | | Grype |
|(daily SBOM) | | bot | | Scan | |Scanner | |(option)|
| | |(PR) | |(CI/CD) | |(CI/CD) | | |
+------+-------+ +---+----+ +---+----+ +---+----+ +---+----+
| | | | |
+-------------+----------+----------+----------+
v
+----------------------+
| Triage & Assessment |
| (CVSS / Severity) |
+----------+-----------+
|
+----------------+----------------+
v v v
+-----------------+ +--------------+ +--------------+
| CRITICAL/HIGH | | MEDIUM/LOW | | No CVEs |
| -> Immediate | | -> Planned | | -> Continue |
| patch | | -> Next | | monitoring |
| -> ENISA report | | release | | |
| if required | | | | |
+-----------------+ +--------------+ +--------------+3.3 Chapter Structure
| Section | Topic | Description |
|---|---|---|
| 3.1 | CVE Monitoring | Daily scan of all product SBOMs against CVE databases |
| 3.2 | Dependency Monitoring | Continuous monitoring via Dependabot + GitHub Security Alerts |
| 3.3 | Patch Management | SLA-based process for vulnerability remediation |
| 3.4 | Risk Assessment | Methodology for assessment in the product context |
| 3.5 | Handling Requirements (Annex I Part II) | 8 vulnerability handling requirements |
3.4 Responsibilities
| Role | Task |
|---|---|
| Security Lead | Triage, risk assessment, escalation, ENISA reporting |
| DevOps Lead | CVE monitor operations, pipeline maintenance |
| Development Team | Patch development, testing |
| Product Owner | Prioritisation, release planning |