The Cyber Resilience Act (Article 13(4)) requires that when placing a product with digital elements on the market, the manufacturer ensures it has been designed, developed, and produced with no known exploitable vulnerabilities. Article 13(6) further obliges manufacturers to address and remediate vulnerabilities without undue delay, including by providing security updates. Defect management is the operational backbone of these obligations; without a structured process for discovering, assessing, and resolving security defects, vulnerabilities accumulate silently and the organization cannot credibly claim that the product meets the essential cybersecurity requirements at the point of market entry or at any time thereafter.
Centrally track security defects from all relevant sources, including internal testing, external vulnerability reports, dependency scanning, and coordinated disclosure, and link each defect to the product version in which it was identified. Assess known security defects using a consistent risk based methodology that evaluates likelihood of exploitation and impact to users under realistic operating conditions. Ensure that remediation decisions are documented and traceable, including cases where residual risk is accepted, with a clear justification for that acceptance.
Collect and use metrics on defect volume, age, and resolution time to continuously improve the vulnerability handling process. These metrics provide visibility into whether the organization is keeping pace with incoming defects or falling behind, and serve as evidence of due diligence when engaging with market surveillance authorities. Treat defect management as a continuous discipline throughout the product's support period, feeding outcomes back into the risk assessment, threat model, and security requirements to strengthen the product over time.