Our Mission

Why We Exist

CVD Portal was built by security practitioners who believe vulnerability disclosure should be frictionless, compliant, and accessible to every manufacturer placing products on the EU market.

The Problem

Vulnerability Disclosure Is Broken

When the EU Cyber Resilience Act was finalized, it created a clear legal obligation: every manufacturer of products with digital elements must implement coordinated vulnerability disclosure. Accept reports. Acknowledge within 48 hours. Notify authorities of actively exploited vulnerabilities within 24 hours. Maintain an SBOM. Document everything.

For large enterprises with dedicated PSIRTs, this was an incremental adjustment. For the tens of thousands of SMEs, startups, and hardware manufacturers who have never run a vulnerability disclosure program. It was an impossible mandate with no affordable tooling.

Security researchers had no standardized way to report. Manufacturers had no infrastructure to receive. And regulators had no evidence trail to audit.

We built CVD Portal to close that gap.

What We Believe

Our Principles

Compliance Should Not Be a Barrier

The CRA imposes strict disclosure obligations on every manufacturer selling into the EU. We believe the tooling to meet those obligations should be free, instant, and standards-aligned, not locked behind enterprise contracts.

Disclosure Saves Lives

Uncoordinated vulnerability disclosure puts end-users at risk. When manufacturers have a frictionless way to receive, triage, and remediate reports, the entire ecosystem benefits, from researchers to consumers.

Transparency Builds Trust

Every action in CVD Portal is audit-logged. Every deadline is tracked. Every notification is documented. We build for the regulators who will ask for evidence, and the security teams who need to produce it.

Open Standards, No Lock-In

We align with ISO/IEC 29147, OASIS CSAF 2.0, SPDX, and CycloneDX, not proprietary formats. Your data is yours. Export everything, integrate with anything, migrate whenever you choose.

Timeline

From Regulation to Infrastructure

24
2024

EU Cyber Resilience Act published as Regulation (EU) 2024/2847

25
2025

CVD Portal launched: free vulnerability disclosure infrastructure for economic operators

26
2026

CRA enforcement begins September 11: mandatory vulnerability handling for all products with digital elements

Ready to Get Compliant?

Deploy your CRA CVD-compliant vulnerability disclosure portal in minutes. Free for economic operators.