Fix: OpenClaw in Docker β Connection Refused, Port Mapping, and Network Issues
Running OpenClaw in Docker and getting connection refused? Common issues with port mapping, bind addresses, DNS resolution, and WebSocket upgrades explained with fixes.
DevOps
CRA Vulnerability Handling: Building a Compliant Disclosure Process
Luca Berton β’ β’ 1 min read
#cra#vulnerability-management#security#compliance#incident-response
π¨ 24 Hours to Report
The CRA mandates that manufacturers report actively exploited vulnerabilities to ENISA within 24 hours. This isnβt a suggestion β itβs a legal requirement starting September 2026.
The CRA Reporting Timeline
Hour 0: Vulnerability discovered/reported
β
Hour 24: Early warning notification to ENISA
β
Hour 72: Vulnerability notification with assessment
β
Day 14: Detailed vulnerability report
β
Day 30: Final report (if not resolved earlier)Building Your Vulnerability Handling Process
1. Intake: Accept Reports from Multiple Channels
# security.txt (RFC 9116) - Place at /.well-known/security.txt
Contact: mailto:[email protected]
Contact: https://yourcompany.com/security/report
Encryption: https://yourcompany.com/.well-known/pgp-key.txt
Acknowledgments: https://yourcompany.com/security/acknowledgments
Policy: https://yourcompany.com/security/policy
Preferred-Languages: en
Canonical: https://yourcompany.com/.well-known/security.txt
Expires: 2027-01-01T00:00:00.000Z2. Triage: Assess Severity and Impact
class VulnerabilityTriager:
def assess(self, report):
severity = self.calculate_cvss(report)
assessment = {
"cvss_score": severity.score,
"cvss_vector": severity.vector,
"affected_products": self.find_affected_products(report),
"actively_exploited": report.exploitation_evidence,
"cra_reporting_required": severity.score >= 7.0 or report.exploitation_evidence,
"deadline": self.calculate_deadline(report),
}
if assessment["cra_reporting_required"]:
# Start 24-hour clock
self.start_enisa_timer(assessment)
return assessment3. ENISA Reporting
class ENISAReporter:
ENISA_ENDPOINT = "https://reporting.enisa.europa.eu/api/v1"
async def early_warning(self, vulnerability):
# Must be sent within 24 hours
payload = {
"type": "early_warning",
"product": vulnerability.product_name,
"severity": vulnerability.cvss_score,
"actively_exploited": vulnerability.is_exploited,
"description": vulnerability.brief_description,
"estimated_impact": vulnerability.estimated_users_affected,
}
response = await self.submit(payload)
return response
async def full_notification(self, vulnerability):
# Must be sent within 72 hours
payload = {
"type": "vulnerability_notification",
"cve_id": vulnerability.cve_id,
"technical_details": vulnerability.technical_analysis,
"affected_versions": vulnerability.affected_versions,
"mitigation": vulnerability.temporary_mitigation,
"patch_timeline": vulnerability.expected_patch_date,
}
response = await self.submit(payload)
return response4. Patch and Notify Users
# Automated security advisory pipeline
security-advisory:
stage: notify
when: manual # Security team triggers
script:
- python generate_advisory.py --cve $CVE_ID --severity $SEVERITY
- python notify_users.py --product $PRODUCT --advisory advisory.json
- python update_sbom.py --product $PRODUCT --version $PATCHED_VERSIONCoordinated Vulnerability Disclosure Policy
Your public vulnerability disclosure policy must include:
- How to report β email, web form, encrypted channels
- Response timeline β acknowledge within 48 hours
- Coordination β work with reporter before public disclosure
- Safe harbor β security researchers wonβt face legal action
- Credit β acknowledge reporters (with permission)
- Disclosure timeline β typically 90 days, shorter for active exploitation
Tooling Recommendations
- Vulnerability intake: MITRE Vulnogram, GitHub Security Advisories
- Tracking: JIRA with security workflow, or dedicated tools like DefectDojo
- SBOM scanning: Grype, Trivy, or Snyk for continuous monitoring
- Reporting: Automated ENISA reporting integration
- Communication: Pre-written advisory templates, distribution lists
Key Takeaways
- Build the process NOW β September 2026 is the first enforcement date
- security.txt is a quick win β takes 5 minutes, signals maturity
- Automate what you can β SBOM scanning, severity assessment, notification
- Practice the process β tabletop exercises with your security team
- Document everything β regulators will ask for evidence
Need help building CRA-compliant vulnerability handling? I help organizations design security response processes. Get in touch.
π Need expert help with this topic?
Luca Berton
AI & Cloud Advisor with 18+ years experience. Author of 8 technical books, creator of Ansible Pilot, and instructor at CopyPasteLearn Academy. Speaker at KubeCon EU & Red Hat Summit 2026.
Related Articles
Fix: OpenClaw Gateway non-loopback control UI requires gateway.controlui.allowedorigins
Getting the allowedorigins error when starting your OpenClaw gateway? Here is exactly how to fix it, with step-by-step configuration for local network, VPS, and reverse proxy setups.
Fix: OpenClaw Model API Key Errors β 401 Unauthorized, Invalid Key, and Rate Limits
Troubleshoot OpenClaw API key issues across OpenAI, Anthropic, and GitHub Copilot. Covers 401 errors, invalid key formats, rate limits, and model fallback configuration.