cra-kit: correct Art. 14 reporting mechanics (SRP/CSIRT/EUVD) and remove deleted ROADMAP references#603
Open
sameehj wants to merge 1 commit into
Open
cra-kit: correct Art. 14 reporting mechanics (SRP/CSIRT/EUVD) and remove deleted ROADMAP references#603sameehj wants to merge 1 commit into
sameehj wants to merge 1 commit into
Conversation
sameehj
force-pushed
the
cra-reporting-accuracy
branch
from
July 17, 2026 12:21
e811cee to
84026d1
Compare
Fix a systematic inaccuracy across the kit: Art. 14 reports are not sent "to ENISA" directly. They are filed via the ENISA Single Reporting Platform (SRP) to the CSIRT designated as coordinator, with ENISA notified simultaneously (Art. 14/16), and fixed vulnerabilities are published to the EUVD. - vulnerability-handling-process.md: add "how a report is filed" (SRP -> CSIRT + ENISA -> EUVD) section; add the severe-incident track (Art. 14(3), 1-month final report); reframe on-call from a staffing gap to follow-the-sun coverage plus a compliance commitment; update diagram, SLA table, and references. - Link the EU Authorised Representative appointment to the coordinator-CSIRT reporting end-point (Art. 14(7)) in eu-authorised-representative.md. - Correct "notify ENISA" / "24h ENISA reporting" wording in the shortlist, cheat sheet, glossary, slide outline, and SKILL.md. - Add SRP / CSIRT / EUVD glossary entries; tighten support-period wording to match Art. 13(2) (at least 5 years unless shorter expected lifetime). - Remove internal-correspondence detail from conformity-assessment-route.md. - Delete ROADMAP.md and remove all remaining references to it. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
sameehj
force-pushed
the
cra-reporting-accuracy
branch
from
July 17, 2026 13:00
84026d1 to
07efe62
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #574. Fixes a systematic inaccuracy in the CRA kit and cleans up references to
ROADMAP.md(removed in this PR).SKILL.md.vulnerability-handling-process.md: adds a "how a report is filed (SRP → CSIRT + ENISA → EUVD)" section; adds the severe-incident track (Art. 14(3), 1-month final report); reframes on-call from a staffing gap to wolfSSL's existing follow-the-sun coverage plus an explicit compliance commitment; updates the diagram, SLA table, and references.00-INDEX.mdis updated to match so the index and the document agree.SRP/CSIRT/EUVDentries; tightened support-period wording to match Art. 13(2).conformity-assessment-route.md: removes internal-correspondence detail from a customer-facing template.ROADMAP.mdand all remaining links/text references to it.Test plan
cra-kit/scripts/validate.shpasses (auditor packet validation OK)cbom-draft.cdx.jsonstill parses as valid JSONROADMAPreferences incra-kit/00-INDEX.mdstatus matchesvulnerability-handling-process.md