Thanks for the responsive, insightful feedback Marta.
The SDLC policy information and vulnerability disclosure information is contained in two documents, at present, but we can reasonably adjust if needed:
- CISA Secure by Design Software Acquisition Guide spreadsheet with information describing vulnerability management (see vulnerability tab in spreadsheet)
- CISA Secure Software Acquisition Form – mainly used by US government
We will adjust as appropriate, IF we are considered an open-source software steward. We have no intention of making our open-source software product available in the EU if BCG is considered a “manufacturer” with financial obligations.
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788
From: Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, January 3, 2025 9:36 AM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx; Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
I'm hoping to receive confirmation that an open-source steward will satisfy their EU-CRA obligations by providing the following artifacts, per product:
- An SBOM
- A living, online Vulnerability Disclosure Report (VDR)
- A Vendor Response Form containing additional product info, i.e. Support Status and Commercial status and more
- A CISA Secure by Design Software Acquisition Guide spreadsheet showing adherence to Secure by Design and Secure by Default principles and practices ( https://cisa.gov/sag)
- A final risk assessment report (on request only)
Examples of these artifacts can be seen online at GitHub: https://github.com/rjb4standards/CISASAGReader
Any indication that these artifacts will not be sufficient to satisfy EU-CRA obligations would also be useful information to know.
Any feedback will help to provide clarity.
Looking into article 24 it seems to me that the list you have is way more than will be required from a steward. It looks more like a list of the manufacturer.
From my understanding stewards should:
- put in place a security policy that includes vulnerability handling policy (you do not have it on the list, but it is a logical dependency)
- cooperate with market surveillance (on request)
- reporting of incidents if the steward is involved in development (if it is serious and they are aware? )