In an era where digital security is paramount, the European Union is taking steps to improve cybersecurity legislation with the introduction of the European Union Cyber Resilience Act (CRA). As the European Union has now adopted the CRA, Qt Group continues to work towards making our products CRA compliant and supporting our customers with their compliancy.
One key aspect of the CRA is that it requires vendors to provide customers with security updates during the product's full lifecycle. To better serve our customers’ needs, the Qt Group has recently announced that it will be changing its long-term support releases to be supported from three to five years, starting from Qt 6.8.
The Qt Framework distinguishes between standard and long-term support (LTS) releases, each with its own tailored support period to meet different project needs. Standard releases are supported with bug fixes and security maintenance update releases for one year. In contrast, long-term support (LTS) releases, which are generally every fourth minor version from Qt 6.8 onwards, receive an extended support and—from Qt 6.8 onwards—maintenance releases for five years. The LTS versions are particularly beneficial for projects requiring a stable and secure foundation over a longer timeframe. Additionally, we now offer Extended Security Maintenance for customer projects stuck on older versions of Qt no longer under standard support.
Another crucial element of the CRA is its focus on vulnerability handling requirements. The law specifically mentions “actively exploited vulnerabilities” which are defined as: “a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.”
To better improve its security and comply with legal requirements, Qt Group has further hardened the robustness of protocols and practices of the Qt Framework as described in Section 7 of the Support Terms. Upon identification, reported issues are evaluated to ascertain whether they constitute a genuine security threat. Verified security issues are promptly rectified, with the severity of the issue dictating the urgency of the response. In instances where a security issue originates from a third-party library, Qt Group takes the initiative to inform the concerned party and integrates the resolution in the subsequent maintenance release of the Qt software. All verified security issues are comprehensively documented, also in public Common Vulnerabilities and Exposures (CVE) databases. In addition, The Qt Framework offers an Early Warning List (EWL) to commercial Qt customers for advance notice of verified security issues.
The EWL process will be expanded to all Qt Group commercial software products in the future and available for commercial customers regardless of product type.
The Qt Project develops The Qt Development Framework and Tools under an open process and has a well-defined security issue handling process for its Open Source Framework. The current process is documented in the Qt Project Improvement Proposals (QUIPs), specifically in QUIP 0015. The Qt Project will be working to update its processes and practices to adhere to the requirements of the CRA—including specific open-source CRA provisions. Here is an overview of the Qt Project process:
This process is designed to ensure that security issues are handled efficiently and transparently, while maintaining the integrity of the Qt Framework.
Software supply chains are increasingly complex. One facet of the CRA (and also addressed in recent US executive orders and guidance) is the call for a Software Bill of Materials or “SBOM". SBOM documentation will be a key part of CRA compliancy for companies. Qt Group will provide SBOM documents in standard formats in Qt 6.8 LTS. That will be followed with further documentation developments across the full Qt Group product portfolio.
Additionally, we welcome additional feedback and input from our customers on resources and tooling that plays a part in our customers’ own SBOM creation based on their full software stack.