Article 13 (6) in the Cyber Resilience Act requires manufacturers to report security vulnerabilities they find in an Open Source component they use to the upstream project. It also requires them to share “relevant code or documentation”. It is not entirely clear whether this means that the security fix itself must be upstreamed, but considering the purpose of the CRA I tend to see it that way. Now that’s all fine when there is a clear “upstream project” and it is still active. Send a patch or...
No comments yet. Log in to reply on the Fediverse. Comments will appear here.