ComparisonOpen-source disclosure framework

disclose.io vs CVD Portal

Community-maintained safe-harbor language and CVD policy templates. How does disclose.io compare to CVD Portal for an EU manufacturer subject to the Cyber Resilience Act?

Headquarters
Open-source project
Category
Open-source disclosure framework
Pricing model
Free. Open-source policy templates and safe-harbor language.

How they compare on CRA-critical features

Five capabilities that matter most for EU manufacturers under Articles 13 and 14 of Regulation (EU) 2024/2847.

Feature
disclose.io
CVD Portal
Whitelabel CVD intake portal (Article 13 SPOC)
Included on Free tier
Article 14 reporting workflow (24h / 72h / final)
Not advertised
Built in. Guided manual on Free and Pro, automated submission to ENISA Single Reporting Platform on Enterprise
EU data residency by default
Varies; often requires enterprise contract
Default for every customer
CSAF 2.0 advisory generator
Not advertised
Included from Pro
Published free tier suitable for SMEs
Varies
€0/month, no card required

Where disclose.io is strong

  • +Excellent open-source safe-harbor language and policy boilerplate.
  • +Industry-standard reference for VDP and CVD policy text in the US market.
  • +Active community of practitioners.
  • +Compatible with any intake and operations platform.

Where it is not a CRA fit

  • !disclose.io is a framework and a set of templates, not a SaaS product. There is no intake portal, no acknowledgment timer, no audit trail, and no reporting workflow.
  • !Policy templates are oriented toward US legal context (safe harbor, computer-fraud statutes) rather than the EU CRA obligation set.
  • !No Article 14 reporting workflow exists, because there is no platform to host one on.
  • !No CSAF advisory generation.

The CRA gap

disclose.io is not a product, so it does not address the operational side of CRA compliance. It provides high-quality input into the policy text that a manufacturer publishes; the intake portal, the acknowledgment SLA, the Article 14 reporting cascade, and the CSAF advisory generation are out of scope.

Why teams pick CVD Portal for CRA

Five reasons EU manufacturers choose CVD Portal over disclose.io.

  1. 1

    Operational platform around the policy: intake, acknowledgment timing, audit trail, reporting.

  2. 2

    Policy template tuned for the CRA Article 13 obligation rather than US safe-harbor framing.

  3. 3

    Article 14 reporting workflow with ENISA submission on Enterprise.

  4. 4

    CSAF 2.0 advisory generation.

  5. 5

    EU data residency by default.

Frequently asked

Should I use disclose.io templates with CVD Portal?
You can. disclose.io's safe-harbor language is excellent and can be incorporated into the CVD Portal policy template. The combination gives you the open-source policy text plus the operational platform required by the CRA.
Is the disclose.io template CRA-compliant on its own?
The disclose.io text is a strong starting point but is oriented toward US legal context. A CRA-compliant CVD policy needs to reference Article 13 obligations specifically, the national CSIRT, and the manufacturer's reporting commitments under Article 14. CVD Portal's policy template handles those references natively.
Why do I need a platform at all if I have a policy?
Article 13 also requires an operational single point of contact, acknowledgment tracking, and a process for handling reports. Article 14 requires three-stage reporting to ENISA and the relevant national CSIRT with hard deadlines. Both obligations need an operational system that processes reports against the regulatory clock.
Is CVD Portal open source?
The CSAF advisory generator and the security.txt scanner are planned for open source release. The platform itself is a commercial SaaS with a free tier suitable for SME manufacturers.
How does CVD Portal handle safe-harbor language?
The platform's policy template includes safe-harbor language adapted for EU jurisdictions, alongside the Article 13 references and the manufacturer's Article 14 commitments. Customers can customise this text before publication.

Switch to a CRA-native disclosure portal in under an hour

Article 13 baseline at €0/month. Article 14 reporting workflow included. EU data residency by default. No card required to start.

Start your free portalSee pricing

Other CVD Portal comparisons

CVD Portal vs HackerOneCVD Portal vs BugcrowdCVD Portal vs IntigritiCVD Portal vs YesWeHackCVD Portal vs Open Bug BountyCVD Portal vs Vicarius