Skip to main content

EU Cyber Resilience Act & SBOM

The EU Cyber Resilience Act (CRA) sets baseline cybersecurity obligations for digital products. Stockaj's roadmap targets full conformance ahead of the CRA enforcement deadline.

What we ship per release

Software Bill of Materials (SBOM) in CycloneDX 1.5 JSON format, generated automatically in CI from production dependencies.
Vulnerability disclosure via security.txt (RFC 9116) at https://stockaj.io/.well-known/security.txt.
Coordinated vulnerability handling policy with 90-day disclosure window.
Cryptographically signed release artifacts (Sigstore / cosign).

SBOM access

Audience	Where
Tenants on Enterprise plan	`GET /api/v1/release/{tag}/sbom.cdx.json`
Public	Stockaj GitHub release attachments
Auditors under NDA	Dedicated audit portal

Secure-by-default posture

All requests served over HTTPS with HSTS preload.
mTLS available between kiosk and API for fleet customers.
OWASP ASVS Level 2 baseline enforced in CI.
OAuth 2.1 (mandatory PKCE) for API auth; OIDC for SSO.

Standards alignment

Standard	Status
EU CRA	Conformance ahead of enforcement deadline
ISO/IEC 27001	Audit-target by v4 + 12 months
ISO/IEC 27701 (privacy extension)	Audit-target by v4 + 18 months
OWASP ASVS Level 2	Required for every release
CycloneDX 1.5 SBOM	Generated per release

Reference

EU CRA — https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
CycloneDX — https://cyclonedx.org/
OWASP ASVS — https://owasp.org/www-project-application-security-verification-standard/

What we ship per release
SBOM access
Secure-by-default posture
Standards alignment
Reference