ComparisonBug bounty and VDP platform

HackerOne vs CVD Portal

Crowdsourced vulnerability discovery aimed at large security teams. How does HackerOne compare to CVD Portal for an EU manufacturer subject to the Cyber Resilience Act?

Headquarters
San Francisco, United States
Category
Bug bounty and VDP platform
Pricing model
Free response-only VDP tier; paid bounty, triage, and pentest tiers priced on request.

How they compare on CRA-critical features

Five capabilities that matter most for EU manufacturers under Articles 13 and 14 of Regulation (EU) 2024/2847.

Feature
HackerOne
CVD Portal
Whitelabel CVD intake portal (Article 13 SPOC)
Included on Free tier
Article 14 reporting workflow (24h / 72h / final)
Not advertised
Built in. Guided manual on Free and Pro, automated submission to ENISA Single Reporting Platform on Enterprise
EU data residency by default
Varies; often requires enterprise contract
Default for every customer
CSAF 2.0 advisory generator
Not advertised
Included from Pro
Published free tier suitable for SMEs
Varies
€0/month, no card required

Where HackerOne is strong

  • +Largest curated researcher community in the bug-bounty market.
  • +Mature managed triage offering with severity assessment and duplicate handling.
  • +Established CVE assignment partnership through MITRE.
  • +Wide enterprise tooling: SSO, audit logging, role-based access.

Where it is not a CRA fit

  • !Headquartered in the United States. EU data residency is not the default and is typically negotiated as part of an enterprise agreement.
  • !Paid tiers target larger security budgets. There is no published low-tier plan optimised for an EU SME manufacturer that simply needs to satisfy Article 13.
  • !No publicly advertised CRA Article 14 workflow covering the 24h early warning, 72h detailed report, and final report to ENISA and the national CSIRT.
  • !The platform is structured around the bug-bounty programme model. Manufacturers whose primary obligation is a published CVD policy and a contact channel pay for capabilities they do not use.

The CRA gap

Article 13 requires every manufacturer of products with digital elements to publish a CVD policy and operate a single point of contact for reports. Article 14 mandates a three-stage reporting cascade to ENISA and the relevant national CSIRT whenever an actively exploited vulnerability or a significant incident is identified. HackerOne addresses the intake side of Article 13 well at the enterprise tier but does not publicly advertise an Article 14 reporting workflow or default EU data residency.

Why teams pick CVD Portal for CRA

Five reasons EU manufacturers choose CVD Portal over HackerOne.

  1. 1

    EU-hosted infrastructure. Default GDPR posture, EU-resident analytics, no transatlantic transfer agreement required.

  2. 2

    Free tier covers Article 13 baseline: whitelabel intake email, 48h acknowledgment SLA per ISO/IEC 29147, and a publication-ready CVD policy template at €0/month.

  3. 3

    Article 14 workflow is first-class: 24h, 72h, and final-report timers tied to ENISA Single Reporting Platform submission on Enterprise.

  4. 4

    Designed for the manufacturer scope of the CRA (Annex III important and critical important categories), not the bug-bounty programme model.

  5. 5

    CSAF 2.0 advisory generation is in the platform, not a separate add-on.

Frequently asked

Is HackerOne CRA-compliant for an EU manufacturer?
HackerOne can satisfy parts of CRA Article 13 (the report intake and triage workflow) at its paid tiers. It does not publicly advertise a workflow for the Article 14 reporting cascade to ENISA and the relevant national CSIRT, and EU data residency is typically a paid contractual addition rather than a default. Manufacturers that need both obligations covered out of the box need additional tooling around HackerOne.
Is CVD Portal a bug bounty platform?
No. CVD Portal is a vulnerability disclosure and CRA compliance platform. It provides intake, triage workflows, Article 14 reporting timers, CSAF advisory generation, and policy publication. It does not run paid bounty programmes or manage researcher payouts. Customers that want a bounty programme often run one alongside CVD Portal rather than instead of it.
Can I migrate an existing HackerOne VDP to CVD Portal?
Yes. Export your existing reports, point your security.txt and policy URL at the new whitelabel portal, and forward replies from the old inbox until external references update. Most migrations are completed in under an hour for the technical work; researcher communication follows over a few weeks.
Where is CVD Portal data stored?
All customer data is stored in the European Union by default. Analytics run on EU-resident PostHog. There is no transatlantic data transfer in the standard product, which means no Standard Contractual Clauses are required for typical EU customers.
How does pricing compare?
CVD Portal has a published Free tier at €0/month that covers Article 13 obligations for a single product company, a Pro tier in the low tens of euros per month for multi-product organisations, and an Enterprise tier with ENISA reporting automation and SSO. HackerOne does not publish prices for its paid tiers; pricing is typically quoted to security teams with five-figure annual budgets.

Switch to a CRA-native disclosure portal in under an hour

Article 13 baseline at €0/month. Article 14 reporting workflow included. EU data residency by default. No card required to start.

Start your free portalSee pricing

Other CVD Portal comparisons

CVD Portal vs BugcrowdCVD Portal vs IntigritiCVD Portal vs YesWeHackCVD Portal vs Open Bug BountyCVD Portal vs disclose.ioCVD Portal vs Vicarius