Hi, please see https://www.debian.org/consultants/ for a list of consultants who can help you if you cannot gather the information yourself.
You also need to establish a process to end of life dates for software you use given the version number you mention. Ansgar On Mon, 2025-08-11 at 10:56 +0000, KATARE, SAURABH [EMR/MSOL/PUNE] wrote: > > Hello, > > > > > I hope this message finds you well. > > > > As part of our ongoing efforts to comply with theEU Cyber Resilience > Act (CRA), we are currently conducting a cybersecurity risk > assessment of third-party software vendors whose products or > components are integrated into our systems. > > To support this initiative, we kindly request your input on the > following questions related to your software product > "debianutils"with version 4.9.1 Please provide your responses > directly in the table below and do reply to all added in this email, > > > > Additional Information: > * > Purpose: This security assessment is part of our due diligence and > regulatory compliance obligations under the EU CRA. > * > Confidentiality: All information shared will be treated as > confidential and used solely for the purpose of this assessment. > * > Contact: Should you have any questions or need further > clarification, please feel free to reach out by replying directly to > this email. > > > > We kindly request your response byMonday, August 25, 2025, to ensure > timely completion of our assessment process. Thank you for your > cooperation and continued partnership in maintaining a secure and > resilient digital environment. > > > > > > > > Sr. No. > > > Queries to Vendor > > > Response from Vendor (Yes/No) > > > Additional Remarks from Vendor > > > > > > 1 > > > Is Secure Software Development Lifecycle followed for developing this > component? > > > > > > > > > > > > 2 > > > Do you provide regular security updates for "debianutils" ? > > > > > > > > > > > > 3 > > > Is there any discontinuation/End of life for the latest version of > "debianutils" in near future? > > > > > > > > > > > > 4 > > > Do you have Long Term support for "debianutils"? If yes please > mention the version in Remark column > > > > > > > > > > > > 5 > > > Is appropriate cybersecurity testing followed? If yes, is any > specific standard for testing used? > > > > > > > > > > > > 6 > > > Are there any vulnerabilities in the latest version which are not > disclosed publicly? If yes, when will it be fixed and released? > please mention in Remark column. > > > > > > > > > > > > 7 > > > Is the vulnerability handing procedure available for "debianutils"? > if yes mention the procedure in the Remark column. > > > > > > > > > > > > 8 > > > Do you comply with EU-CRA requirements? > > > > > > > > > > > > 9 > > > Do you provide proof of conformity regarding adherence to EU-CRA? If > yes please mention details in Remark column > > > > > > > > > > > > > > Best regards, > > > Saurabh. > > > > > Saurabh Katare| Engineer, Software Development > > Emerson | Plot no 23, Rajiv Gandhi InfoTech Park | Phase > II ,Hinjawadi | Pune | Maharashtra | 411057 | India > > saurabh.kat...@emerson.com > > > > > >
