Embed Notice

@inthehands @aurorus A couple of footnotes on the CRA and liability.

If you put a piece of software on the EU market commercially, you're responsible for due diligence re vulnerabilities *and* for managing any vulnerabilities that get reported to you (with a list of things you must do about reporting, mitigation, etc.). There are some exemptions, such as noncommercial open source software and software for specific sectors - for example, products for marine use are exempted from the CRA, because they're already covered by the (stricter) E27 regulations.

What if the vulnerability is in a component you brought in from elsewhere (that is, the component itself and not your integration of it)? Well, there are several possibilities:

1. If it's a noncommercial open-source project you've put in a commercial product, that's *your* responsibility. You have to provide a fix or mitigation. You can ask the maintainer to do so, but they're under no legal obligation. And hey, it's open source - you have the code.
2. If it's a software product that is itself commercially placed on the EU market, then the developers of that are bound by the CRA too, so the responsibility moves to them. You can breathe a sigh of relief for now, though you're obligated to distribute the fix when you get it.
3. If it's a software product that isn't commercially placed on the EU market (eg. something you bought from a non-EU entity which isn't offering the product generally on the EU market), then it's *your* responsibility. Sucks to be you if it isn't open source.

It doesn't really matter whether the code was written by a human, a bespoke code generator, an LLM or a space alien: If you signed off on it and put it on the EU market, *you* are responsible for its security.