← Back to Blogcompliance

Setting Up a CVD Programme for CRA Compliance

Article 15 requires manufacturers to operate a coordinated vulnerability disclosure (CVD) programme. This post walks through writing a CVD policy, setting up a disclosure channel, handling reports, and issuing CSAF advisories.

CRAReady Team·

Why CVD Is a Legal Requirement Under the CRA

Before the CRA, coordinated vulnerability disclosure was a best practice. From December 2027, it is a legal obligation. Article 15 requires manufacturers to:

  • Establish and document a CVD policy
  • Provide a publicly accessible reporting channel
  • Acknowledge vulnerability reports without undue delay
  • Investigate and remediate vulnerabilities
  • Disclose information about vulnerabilities and mitigations publicly
  • Not prevent third parties from disclosing vulnerabilities

Writing a CVD Policy

A CVD policy does not need to be lengthy — clarity matters more than comprehensiveness. Key elements:

Scope: Define which products or services the policy covers.

Reporting channel: Provide a dedicated email (security@yourdomain.com) or web form. Optionally provide a PGP key for encrypted reports.

Acknowledgement timeline: Commit to acknowledging reports within 5 business days (ISO 29147 recommendation).

Disclosure timeline: State your default coordinated disclosure window — 90 days is standard, extensible by mutual agreement.

Safe harbour: Commit that good-faith researchers following the policy will not face legal action. This is critical for attracting reports.

CVE assignment: State that you will request CVE identifiers for valid vulnerabilities.

Publish the policy at a predictable URL — /security or /vulnerability-disclosure — and reference it in a security.txt file at /.well-known/security.txt.

Handling Reports

When you receive a report:

  1. Acknowledge receipt within 5 business days
  2. Triage: reproduce the issue and assess severity (CVSS)
  3. Investigate root cause and scope
  4. Develop a fix — target 7–14 days for critical, 30 days for high severity
  5. Coordinate disclosure date with the reporter
  6. Request a CVE identifier
  7. Publish advisory and CSAF document
  8. Notify affected users

CSAF Advisories

Publishing machine-readable CSAF advisories alongside human-readable security bulletins allows customers' software composition analysis tools to automatically detect whether they are affected. CSAF documents should be published at /.well-known/csaf/ with a provider-metadata.json index file.

Linking CVD to Article 14

If a vulnerability reported through your CVD programme is found to be actively exploited, your Article 14 obligations are triggered immediately: early warning to ENISA within 24 hours of learning of active exploitation, detailed report within 72 hours. Your CVD process and Article 14 process should be integrated — not siloed.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker