Skip to content

cra-kit: correct Art. 14 reporting mechanics (SRP/CSIRT/EUVD) and remove deleted ROADMAP references#603

Open
sameehj wants to merge 1 commit into
wolfSSL:masterfrom
sameehj:cra-reporting-accuracy
Open

cra-kit: correct Art. 14 reporting mechanics (SRP/CSIRT/EUVD) and remove deleted ROADMAP references#603
sameehj wants to merge 1 commit into
wolfSSL:masterfrom
sameehj:cra-reporting-accuracy

Conversation

@sameehj

@sameehj sameehj commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #574. Fixes a systematic inaccuracy in the CRA kit and cleans up references to ROADMAP.md (removed in this PR).

  • Correct the Art. 14 reporting mechanic. The kit previously described reports as going "to ENISA" directly. Under Art. 14/16 a manufacturer files via the ENISA Single Reporting Platform (SRP) to the CSIRT designated as coordinator, with ENISA notified simultaneously; fixed vulnerabilities are then published to the EUVD. Corrected across the shortlist, cheat sheet, glossary, slide outline, and SKILL.md.
  • vulnerability-handling-process.md: adds a "how a report is filed (SRP → CSIRT + ENISA → EUVD)" section; adds the severe-incident track (Art. 14(3), 1-month final report); reframes on-call from a staffing gap to wolfSSL's existing follow-the-sun coverage plus an explicit compliance commitment; updates the diagram, SLA table, and references.
  • Status change (please review): flips the vulnerability-handling headline from 🟡 "public SLA pending leadership approval" to a ✅ "wolfSSL Inc. commits to Art. 13/14 compliance" statement, and drops the "(proposed; pending leadership approval)" qualifier from the SLA section. 00-INDEX.md is updated to match so the index and the document agree.
  • Ties the EU Authorised Representative to the reporting end-point (Art. 14(7)): since wolfSSL Inc. has no EU main establishment, the AR's Member State determines the coordinator CSIRT.
  • Glossary: new SRP / CSIRT / EUVD entries; tightened support-period wording to match Art. 13(2).
  • conformity-assessment-route.md: removes internal-correspondence detail from a customer-facing template.
  • Removes ROADMAP.md and all remaining links/text references to it.

Test plan

  • cra-kit/scripts/validate.sh passes (auditor packet validation OK)
  • cbom-draft.cdx.json still parses as valid JSON
  • No remaining ROADMAP references in cra-kit/
  • 00-INDEX.md status matches vulnerability-handling-process.md

@sameehj
sameehj force-pushed the cra-reporting-accuracy branch from e811cee to 84026d1 Compare July 17, 2026 12:21
Fix a systematic inaccuracy across the kit: Art. 14 reports are not sent
"to ENISA" directly. They are filed via the ENISA Single Reporting Platform
(SRP) to the CSIRT designated as coordinator, with ENISA notified
simultaneously (Art. 14/16), and fixed vulnerabilities are published to the
EUVD.

- vulnerability-handling-process.md: add "how a report is filed"
  (SRP -> CSIRT + ENISA -> EUVD) section; add the severe-incident track
  (Art. 14(3), 1-month final report); reframe on-call from a staffing gap
  to follow-the-sun coverage plus a compliance commitment; update diagram,
  SLA table, and references.
- Link the EU Authorised Representative appointment to the coordinator-CSIRT
  reporting end-point (Art. 14(7)) in eu-authorised-representative.md.
- Correct "notify ENISA" / "24h ENISA reporting" wording in the shortlist,
  cheat sheet, glossary, slide outline, and SKILL.md.
- Add SRP / CSIRT / EUVD glossary entries; tighten support-period wording to
  match Art. 13(2) (at least 5 years unless shorter expected lifetime).
- Remove internal-correspondence detail from conformity-assessment-route.md.
- Delete ROADMAP.md and remove all remaining references to it.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
@sameehj
sameehj force-pushed the cra-reporting-accuracy branch from 84026d1 to 07efe62 Compare July 17, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant