What are the notification obligations of open-source software stewards?
Per Article 24(3), open-source software stewards are subject to a subset of the notification obligations of manufacturers defined in Article 14.
- If a steward is involved in the development of an open source project that it stewards, it must notify both its relevant CSIRT and ENISA of any actively exploited vulnerability in that project, see Article 14(1).
- If a steward provides IT infrastructure used for the development of an open source project that it stewards, it must notify its relevant CSIRT and ENISA of any severe incident having an impact on the security of that project, see Article 14(3).
- In both of those cases, it must inform impacted users (and where appropriate all users) of that open source project through available channels (e.g. changelog, blog post, mailing list, direct contact when available, etc.), see Article 14(8).
The table below provides an actionable summary of those notification and information obligations that accounts for stewards not necessarily being aware of who their users are nor being able to reach out to them individually.
| Steward support level | Notify vulnerabilities[1] | Notify incidents[2] | General announcement[3] | Message known users[3:1] |
|---|---|---|---|---|
| Provides non-technical support only | N/A | N/A | N/A | N/A |
| + provides IT infrastructure | N/A | â | â | N/A |
| + provides engineering resources (incl. security) | â | â | â | N/A |
| + has 1:1 relationship with some users | â | â | â | â |
Disclaimer
Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.