WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -394,6 +394,14 @@ This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 P
> NOTE: It is proposed that a cross-vertical task force could work on the technical requirements to be included in this clause.
**[REQ-KEV-1]**:The product shall incorporate only components, including third party and open source elements, for which no known exploitable vulnerabilities exist at the time of release.
Note: The manufacturer may relay on documentation in the form of an Software Bill of Materials (SBOM) as well as reasoning of why known vulnerabilities are not exploitable under the applicable, expected operational environment.
**[REQ-KEV-2]**:In accordance with the requirement to apply effective and regular tests to the security of the product, the product shall be tested to demonstrate the absence or mitigation of known exploitable vulnerabilities.
Note: To demonstrate compliance, the manufacturer may rely on manual security testing (e.g., penetration testing), automated vulnerability scanners, or a combination of both, depending on what is most comprehensive and technically feasible for the product's technology stack.
**[REQ-MEM-KEV-1]**: Web browser interfaces that are, or could potentially be, exposed to untrusted data shall undergo automated dynamic analysis to identify vulnerabilities (for example, via techniques such as fuzzing in an environment that enables the detection of memory access errors).
**[REQ-MEM-KEV-2]** The web browser source code shall undergo automated static analysis to identify vulnerabilities (for example, via LLM code analysis).
