Remove CRA requirements from PEP

sethmlarson · sethmlarson · commit c1871302934c · 2025-10-23T14:33:29.000-05:00
diff --git a/peps/pep-0811.rst b/peps/pep-0811.rst
@@ -221,14 +221,8 @@ applying to join the PSRT. These responsibilities include:
 * Coordinators that can no longer move a report forwards for any reason must
   delegate their Coordinator role to someone else in the PSRT.
 * PSRT members that are admins will have additional responsibilities.
-* PSRT members who are staff of the Python Software Foundation, as an
-  "Open Source Steward" defined in `Article 24 of the Cyber Resilience Act`_,
-  have `additional responsibilities`_, such as reporting actively exploited
-  vulnerabilities to ENISA/CSIRTs.
 
 .. _security-announce@python.org: https://mail.python.org/archives/list/security-announce@python.org/
-.. _Article 24 of the Cyber Resilience Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_24
-.. _additional responsibilities: #responsibilities-of-psf-staff-psrt-members
 .. _Python Developer's Guide: https://devguide.python.org/developer-workflow/psrt/
 
 Responsibilities of PSRT Admins
@@ -243,43 +237,6 @@ following additional responsibilities:
 * On a yearly basis, providing the Steering Council with a report including
   a list of inactive PSRT members.
 
-Responsibilities of PSF Staff PSRT members
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The Python Software Foundation acts as the "Open Source Steward" for
-CPython, pip, and other projects according to the Cyber Resilience Act (CRA).
-Therefore, vulnerability reporting has additional requirements for PSF staff
-detailed in CRA `Article 24 <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_24>`_.
-These requirements can be summarized as:
-
-* Maintain a vulnerability disclosure policy fostering the voluntary reporting
-  of vulnerabilities. The policy shall include aspects related to documenting,
-  addressing, and remediating vulnerabilities and promote the sharing of
-  information concerning discovered vulnerabilities within the open-source
-  community.
-
-* Cooperate with EU market surveillance authorities (ENISA and CSIRTs) to
-  mitigate cybersecurity risks.
-
-* If a vulnerability is **known to be actively exploited** EU market
-  surveillance authorities must be notified through the Single Reporting
-  Platform (SRP) within the following timelines:
-
-  * **Within 24 hours of becoming aware of an actively exploited
-    vulnerability:** submit an early warning notification.
-  * **Within 72 hours of becoming aware of an actively exploited
-    vulnerability:** submit general information,
-    the product, general nature of the exploit and vulnerability, and
-    mitigating measures taking or mitigating measures that users can take.
-  * **Within 14 days after a corrective or mitigating measure is available:** a
-    final report including a description of the vulnerability including
-    severity and impact, information concerning any malicious actor, and details
-    about the security update or other corrective measures available to remedy
-    the vulnerability.
-
-Note that these additional responsibilities don't apply to all members of the
-PSRT, only to PSF staff.
-
 GitHub Security Advisories and GitHub Team
 ------------------------------------------
 
