1. Introduction
This document outlines the compliance measures implemented by RedmineUP to align its Redmine plugins with the Cyber Resilience Act (CRA) requirements. It ensures that our products meet the cybersecurity obligations set by the European Union.
2. Product Overview
RedmineUP develops and sells commercial open-source plugins for Redmine, including:- Agile Project Management Plugin
- CRM Plugin
- Helpdesk Plugin
- Checklists Plugin
- People Management Plugin
Since these plugins are commercially distributed and supported, CRA compliance is mandatory.
3. Cybersecurity Measures
3.1. Secure Development Practices
- Follow OWASP Secure Coding Practices to mitigate security vulnerabilities.
- Implement Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) during development.
- Conduct regular security audits of our codebase.
3.2. Vulnerability Management Policy
- Monitor vulnerabilities using automated tools (e.g., Dependabot, Snyk).
- Maintain a structured Incident Response Plan (IRP) to address security threats.
- Patch critical vulnerabilities within 30 days of discovery.
- Publish security advisories for users when necessary.
3.3. Reporting Cybersecurity Incidents
- Appoint a Security Officer responsible for handling incident notifications.
- Notify relevant EU regulatory bodies of major security incidents within 24 hours.
- Maintain logs of security breaches and remedial actions.
4. Compliance Documentation
- Maintain an up-to-date Software Bill of Materials (SBOM) for transparency.
- Document all security updates and patches in release notes.
- Provide clear security guidelines for end-users and administrators.
5. Software Support and Updates Policy
- Guarantee ongoing security updates for a minimum of 5 years.
- Offer a vulnerability disclosure program for security researchers.
- Ensure that all updates comply with EU cybersecurity standards.
6. Risk Assessment and Compliance Monitoring
- Conduct periodic risk assessments of all RedmineUP plugins.
- Engage external cybersecurity auditors for compliance validation.
- Ensure GDPR compatibility for handling personal data securely.
7. Legal Compliance and Future Adaptation
- Maintain a legal compliance team to monitor evolving EU regulations.
- Update this document regularly to reflect new security obligations.
8. Conclusion
This document serves as a formal commitment by RedmineUP to comply with the Cyber Resilience Act (CRA). It outlines the policies and procedures in place to ensure cybersecurity compliance for our commercial open-source plugins.