Technical insights on coordinated vulnerability disclosure, CRA compliance, and product security engineering.
ENISA's Head of Vulnerability Services on why the CVE program needs distributed governance, how the CRA Single Reporting Platform changes manufacturer obligations, and why handling vulnerability disclosure properly is now a competitive selling point.
Article 14 enforcement begins 11 September 2026 - for products already on market. Here's exactly what infrastructure manufacturers, importers, and distributors need in place before the deadline: VDP, triage authority, reporting cascade, and audit trail.
The CRA draws a sharp legal line between 'exploitable' and 'actively exploited' vulnerabilities - with very different consequences for each. We break down the three-tier obligation framework, the EUVD's role as authoritative reference, and the September 2026 reporting deadlines that apply to products already on the market.
The EU Cyber Resilience Act creates the first mandatory vulnerability handling framework for products with digital elements. We break down the 26 articles, the key deadlines, and the practical steps manufacturers should take today to prepare.
A step-by-step walkthrough of the full CVD lifecycle - receiving a researcher report, triaging with CVSS, coordinating with upstream maintainers, developing a fix, and publishing a CSAF advisory. Includes timeline expectations and common pitfalls.
The CRA mandates Software Bills of Materials for all products with digital elements. But an SBOM isn't just a compliance checkbox - it's the foundation for vulnerability correlation, supply chain risk management, and incident response. Here's how to get it right.
When a manufacturer discovers an actively exploited vulnerability, the CRA requires a 24-hour early warning to the relevant CSIRT. We examine how this obligation works, what triggers it, and how to build an internal process that meets the deadline every time.
Most SMEs selling into the EU market don't have a dedicated PSIRT. With the CRA enforcement deadline approaching, here's a practical guide to establishing vulnerability handling capabilities - roles, tools, processes, and the minimum viable PSIRT.
The OASIS Common Security Advisory Framework (CSAF) 2.0 is becoming the standard for machine-readable vulnerability advisories. We explain the format, its relationship to the CRA, and how CVD Portal generates CSAF advisories automatically.
New articles on CRA compliance, vulnerability disclosure, and product security engineering.
Published by CVD Portal Engineering