Vulnerability Management
LEGAL BASIS
§30(2) No. 5 BSIG – Security measures in acquisition, development and maintenance of IT systems, components and processes, including vulnerability management and disclosure
Vulnerability Detection
| Method | Description | Interval |
|---|---|---|
| Automated scanning | Infrastructure and application scans | Weekly |
| CVE monitoring | Monitoring of relevant CVE feeds and advisories | Ongoing |
| Dependency monitoring | Automated checking of software dependencies (Dependabot, Trivy) | Ongoing |
| Penetration tests | External and internal tests by qualified testers | Annually |
Patch Management
| Severity | Deadline | Example |
|---|---|---|
| Critical (CVSS ≥ 9.0) | 48 hours | Remote code execution, actively exploited |
| High (CVSS 7.0–8.9) | 7 days | Privilege escalation, data leak |
| Medium (CVSS 4.0–6.9) | 30 days | Denial of service, information disclosure |
| Low (CVSS < 4.0) | Next release cycle | Cosmetic issues, low impact |
Secure Development
For custom software:
- Security by design – Security requirements from the design phase
- Code review – Four-eyes principle for security-relevant changes
- Automated tests – Lint, build, security scan in CI/CD pipeline
- Dependency pinning – Versioned and verified dependencies
Coordinated Vulnerability Disclosure
- Reporting channels for external security researchers documented
- Processing timelines for reported vulnerabilities defined
- Coordination with discoverers before publication
CRA Synergy
Product-related vulnerability management (SBOM-based CVE monitoring, CycloneDX, Trivy scanning) is described in the CRA Vulnerability Management Documentation. NIS2 supplements this with infrastructure and operational vulnerability management.