CRA in practice
VEX - Cutting through the Noise in Software Supply Chain Security
January 31, 2026
5:30 PM – 5:45 PM Add to calendar
5:30 PM – 5:45 PM Add to calendar
UA2.114 (Baudoux)
<p>Security teams are currently drowning in vulnerability data, but the Vulnerability Exploitability eXchange (VEX) offers a solution by providing machine-readable clarity on which exploits actually matter. This technology is rapidly evolving from a "nice-to-have" efficiency tool into a critical compliance enabler for the EU Cyber Resilience Act (CRA), which mandates effective vulnerability handling for the European market.</p>
<p>In this session, Georg and Rao present the findings from the VEX Industry Collaboration Working Group, a group of industry leaders driving the development and application of VEX. The group identified a set of challenges and gaps hampering adoption, ranging from the different evolving technical directions in VEX formats to practical barriers such as discovery and distribution of VEX documents, immature tooling, and education. Rao and Georg will outline a shared path forward, advocating for the creation of a common distribution system, development of necessary tooling, and establishing a forum for collaboration between industry partners and open source projects to drive adoption and education.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ua2114 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>Opening remarks and housekeeping.</p>
|
| 1/31/26 |
<p>Deutsche Bahn, with its 230,000 employees and hundreds of subsidiaries, is far from an average organization. Yet it faces the same challenges under the CRA as many others. In this session, we will show how we connected the concrete requirements of CRA compliance with our broader effort to bring transparency to our software supply chains. This forms the basis for security and license compliance processes, as well as for proactively shaping the ecosystems we depend on.</p> <p>We will outline ...
|
| 1/31/26 |
<p>EV charging stations expose a uniquely difficult CRA landscape: A single physical device can be accessed through very different user paths: ISO 15118 (Plug&Charge), RFID cards, mobile apps, credit-card terminals, and OEM-backends. Between the end user and the actual product manufacturer sit multiple intermediaries (CSMS, OEM cloud, roaming hubs, payment processors), each with partial control over configuration, telemetry, and security posture. How to deliver all the CRA obligations across ...
|
| 1/31/26 |
<p><a href="https://github.com/erlang/otp">Erlang/OTP</a> is an open source programming language designed for the development of concurrent and distributed systems. Created 40 years ago and open sourced in 1998, Erlang is used by <a href="https://www.ericsson.com/en">Ericsson</a>, <a href="https://www.cisco.com/">Cisco</a>, <a href="https://www.whatsapp.com/">WhatsApp</a>, <a href="https://discord.com/">Discord</a>, and <a href="https://www.klarna.com/se/">Klarna</a> for mission critical ...
|
| 1/31/26 |
<p>Embedded products are at the core of the Cyber Resilience Act, yet they face unique compliance challenges. Hardware vendors ship heavily patched BSPs, software modules often diverge from upstream, and reliable identification of modified components is still far from solved. For teams building products on top of these layers, translating CRA requirements into daily engineering practice is not straightforward.</p> <p>This talk provides a practical overview of where CRA compliance currently ...
|
| 1/31/26 |
<p>The Cyber Resilience Act (CRA) is reshaping expectations around open source software, introducing new requirements for security, traceability, and documentation. While maintainers are responsible for technical compliance, community managers play a critical but often overlooked role in helping projects adapt. This session is designed for community managers, project maintainers, stewards, and open source contributors interested in practical CRA readiness. The focus is on practical enablement by ...
|
| 1/31/26 |
<p>This panel brings together experts to discuss the practical realities of implementing the CRA steward role, as defined by the regulation, and how organisations are approaching its execution. Panelists will explore how the concept of CRA stewards is being interpreted, what responsibilities are emerging in practice, and the challenges organisations face in preparing for this new function. They will also highlight which elements remain unclear, what support or guidance is still needed, and how ...
|
