Notify actively exploited vulnerabilities and severe incidents

Article 24(2) of Regulation (EU) 2024/2847 provides that open-source software stewards shall notify, without undue delay and in any event within the timeframe established by implementing acts, the CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555 of:

• any actively exploited vulnerability contained in the open-source software components they administer; and
• any severe incident having an impact on the security of those open-source software components.

Following notification, the CSIRT shall treat the reported information confidentially and support the open-source software steward in disclosing the vulnerability in accordance with coordinated vulnerability disclosure practices.

1. Trigger: active exploitation — duty arises when you become aware that a vulnerability in your software is actively exploited in the wild
2. Trigger: severe incident — duty also arises for severe security incidents affecting the software's security properties
3. Recipient: CSIRT coordinator — notify the national CSIRT designated as coordinator under NIS 2 Directive Art. 12, not ENISA directly
4. Without undue delay — prompt notification; the exact deadline will be set by implementing act
5. Confidentiality — the CSIRT handles reported information confidentially and supports coordinated disclosure

• Notification sent to CSIRT coordinator (date, content, method)
• Internal process for monitoring and detecting active exploitation
• Incident log documenting when awareness was gained and actions taken
• Coordinated disclosure timeline