Vulnerability Management
CRA sets vulnerability management obligations that apply to products in their entirety, including to all third-party components. Manufacturers are to identify vulnerabilities that affect their products and respond to them without a delay. This includes notifying the authorities within 24 hours of any actively exploited vulnerability, and your customers in a timely manner.
EU CRA Reference
Essential Cybersecurity Requirements, Annex I Part I § 2 a
Products with digital elements must ensure cybersecurity and be free from known vulnerabilities, have secure configurations, and support timely security updates. Protection from unauthorized access, data confidentiality, integrity, and availability must be ensured.
Go to the legislationEU CRA Reference
Technical Documentation Requirements, Annex VII § 2 b
Technical documentation must include a general description of the product, software bill of materials, and user instructions. It should detail development and vulnerability handling processes, cybersecurity risk assessments, CE marking and the EU declaration of conformity.
Go to the legislationEU CRA Reference
Early Warnings, Chapter II Obligations to Manufacturers, Article 14 § 2 a-c
Manufacturers must submit notifications for actively exploited vulnerabilities: an early warning within 24 hours, a detailed vulnerability notification within 72 hours, and a final report within 14 days after corrective measures are available. These reports should include vulnerability details, impact, and mitigation steps.
Go to the legislationQt Highlights
Reporting Security Issues for Commercial Users
Commercial customers get a response from Qt Group within 48 business hours (or with Premium Support within 24h).
- New issue: Qt Group creates a ticket at bugreports.qt.io.
- Known issue: Qt Group updates the existing ticket at bugreports.qt.io with more data and customer prioritization.
- Qt Group assigns the issue for fixing.
4. Qt Group assigns a CVE number and sends the first Early Warning List (EWL) emails about the verified new issue.
5. The issue gets prioritized for the correct RnD teams to fix.
6. Once there is a patch, Qt Group sends a second EWL email.
7. The patch is integrated to a release, verified and tested.
8. Qt Group releases and sends a third and final EWL, along with public communications such as a blog post, security advisory, and a public CVE database update.
Reporting Security Issues for Open Source Users
1. User sends an email to [email protected].
2. Qt Group opens a new (for now hidden) issue in bugreports.qt.io, or update an existing ticket with more data.
3. Wait for RnD grooming; verification if it's a real issue, prioritization, validation if it needs more info.
Note: Even though this describes an avenue for customer reporting issues, there are several other ways issues get raised to RnD; often through the Qt project developer mailing list or 3rd party software project communications.
Next Steps at Qt Group
When the authorities' ENISA interfaces become available, take them into use
Improve systematic incident rehearsal processes and practices across all products
More on Vulnerability Management
The information contained on this page and this website does not constitute legal advice. It is provided for informational purposes and discussion of the subject matter only. Content is subject to change and The Qt Group does not guarantee the accuracy or currentness of the contents of this page nor is The Qt Group responsible for the content or operation of any external website that these pages link to—or that may link to—these pages. The information contained here is not, and should not be used as, a substitute for legal advice.