Preparing for the European Cyber Resilience Act (CRA)

In an era where digital security is paramount, the European Union is taking steps to improve cybersecurity legislation with the introduction of the European Union Cyber Resilience Act (CRA). As the European Union has now adopted the CRA, Qt Group continues to work towards making our products CRA compliant and supporting our customers with their compliancy. 

Changes to Long-Term Support (LTS) Releases  

One key aspect of the CRA is that it requires vendors to provide customers with security updates during the product's full lifecycle. To better serve our customers’ needs, the Qt Group has recently announced that it will be changing its long-term support releases to be supported from three to five years, starting from Qt 6.8.  

The Qt Framework distinguishes between standard and long-term support (LTS) releases, each with its own tailored support period to meet different project needs. Standard releases are supported with bug fixes and security maintenance update releases for one year. In contrast, long-term support (LTS) releases, which are generally every fourth minor version from Qt 6.8 onwards, receive an extended support and—from Qt 6.8 onwards—maintenance releases for five years. The LTS versions are particularly beneficial for projects requiring a stable and secure foundation over a longer timeframe.  Additionally, we now offer Extended Security Maintenance for customer projects stuck on older versions of Qt no longer under standard support. 

Security and Vulnerabilities Handling  

Another crucial element of the CRA is its focus on vulnerability handling requirements. The law specifically mentions “actively exploited vulnerabilities” which are defined as: “a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.”  

To better improve its security and comply with legal requirements, Qt Group has further hardened the robustness of protocols and practices of the Qt Framework as described in Section 7 of the Support Terms. Upon identification, reported issues are evaluated to ascertain whether they constitute a genuine security threat. Verified security issues are promptly rectified, with the severity of the issue dictating the urgency of the response. In instances where a security issue originates from a third-party library, Qt Group takes the initiative to inform the concerned party and integrates the resolution in the subsequent maintenance release of the Qt software.  All verified security issues are comprehensively documented, also in public Common Vulnerabilities and Exposures (CVE) databases. In addition, The Qt Framework offers an Early Warning List (EWL) to commercial Qt customers for advance notice of verified security issues.  

The EWL process will be expanded to all Qt Group commercial software products in the future and available for commercial customers regardless of product type.  

The Qt Project Open Source Security and Vulnerabilities Handling  

The Qt Project develops The Qt Development Framework and Tools under an open process and has a well-defined security issue handling process for its Open Source Framework. The current process is documented in the Qt Project Improvement Proposals (QUIPs), specifically in QUIP 0015. The Qt Project will be working to update its processes and practices to adhere to the requirements of the CRA—including specific open-source CRA provisions. Here is an overview of the Qt Project process:  

• Security Team: The Qt Project has a core security team consisting of selected developers with responsible for ensuring the security policy is followed.  

• Proactive Measures: The project employs regular code reviews, static code analysis and fuzz testing to prevent security vulnerabilities.  

• Reporting Security Issues: Security issues should not be reported through the normal bug tracker but sent directly to the Qt Project Security team at security@qt-project.org. For commercial license holders, issues can be reported via the Qt Account Support Center.  

• Handling Reported Issues: The Core Security Team assesses and addresses reported security issues, coordinating with module maintainers as needed.  

• Disclosure: The Qt Project believes in full disclosure, providing complete information on where patches can be found and which versions of the software are affected.  

This process is designed to ensure that security issues are handled efficiently and transparently, while maintaining the integrity of the Qt Framework.  

Software Bill of Materials (SBOM) access  

Software supply chains are increasingly complex. One facet of the CRA (and also addressed in recent US executive orders and guidance) is the call for a Software Bill of Materials or “SBOM". SBOM documentation will be a key part of CRA compliancy for companies. Qt Group will provide SBOM documents in standard formats in Qt 6.8 LTS. That will be followed with further documentation developments across the full Qt Group product portfolio.  

Additionally, we welcome additional feedback and input from our customers on resources and tooling that plays a part in our customers’ own SBOM creation based on their full software stack.