EU CRA (Cyber Resilience Act)

Either the security problem exists within an employer's product "placed on the market" in which case an employee reporting a problem DOES trigger obligations - the employee knows therefore - as far as the law is concerned - the manufacturer/importer/whoever also knows, or

The employer is not connected with the product at risk, and unless they are the steward for the software in question (not the case if the employee is either (a) working in his own time, or (b) working using time donated by the employer for projects of the employee's choice) the employer has no obligations at all. If they are the steward, and their employees work on the project, then they have to follow their declared guidelines.

Since this particular discussion started, it seems to me that the "steward" wording is aimed clearly at people like Google, Red Hat, Oracle, et al - the commercial distros and support-sellers.

Let's take Google, they provide a lot of services, under service contracts, to other companies. My company uses a lot of them ... One of those services, for example, is Gsheets. As far as our use of it is concerned, it's covered by the CRA because we have a support contract. But the whole point of the steward wording is to say that if I as a private individual (as opposed to a company employee) make use of Gsheets for my own personal use, any bugs I find are reported to Google in their role of steward. AND NO LEGAL LIABILITY RESULTS. Google, however, are now aware of the bug, and are expected to follow their declared procedures. Failure to do that *probably* *will* trigger liability, because combine a known bug, declared procedures, *and* *support* *contracts*, the regulator will say "you should have fixed it under the support contracts". Coupled with the requirement under the CRA to report any bugs and fixes upstream, that means I as a private individual get to see the bug fixed, otherwise Google forfeit their legal protection as steward.

Cheers,
Wol