Vulnerability Management Guide for CRA and Continuous Remediation
Core processes to meet CRA obligations: intake, triage, remediation, disclosure, and monitoring.
Ground your scope with the CRA Compliance Guide, use SBOM Best Practices to feed accurate component data, and compare obligations in CRA vs NIS2/GDPR.
When you create plans, move into Remediation to assign owners, deadlines, and track fixes for CRA timelines.
Intake & identification
Aggregate signals from SBOM scans, advisories, bug bounty reports, and monitoring. Standardize intake with metadata and product context.
Triage & prioritization
Prioritize by severity (CVSS), exploitability, exposure, and business criticality. Create remediation plans with owners and due dates.
Remediation & verification
Implement fixes (patches, upgrades, mitigations) and verify with testing. Record evidence to maintain an auditable trail.
Disclosure & communication
Meet CRA timelines: report exploited vulnerabilities to authorities within 24h and publish advisories within 72h where applicable.
Continuous monitoring
Schedule periodic scans, track new CVEs for SBOM components, and maintain dashboards for SLAs and backlog health.