ComparisonCommunity-run open VDP

Open Bug Bounty vs CVD Portal

Free community-run platform for coordinated web vulnerability disclosure. How does Open Bug Bounty compare to CVD Portal for an EU manufacturer subject to the Cyber Resilience Act?

Headquarters
Distributed community project
Category
Community-run open VDP
Pricing model
Free. Community-run and operated as a non-profit.

How they compare on CRA-critical features

Five capabilities that matter most for EU manufacturers under Articles 13 and 14 of Regulation (EU) 2024/2847.

Feature
Open Bug Bounty
CVD Portal
Whitelabel CVD intake portal (Article 13 SPOC)
Included on Free tier
Article 14 reporting workflow (24h / 72h / final)
Not advertised
Built in. Guided manual on Free and Pro, automated submission to ENISA Single Reporting Platform on Enterprise
EU data residency by default
Varies; often requires enterprise contract
Default for every customer
CSAF 2.0 advisory generator
Not advertised
Included from Pro
Published free tier suitable for SMEs
Varies
€0/month, no card required

Where Open Bug Bounty is strong

  • +Free for both researchers and website owners.
  • +Useful for receiving inbound web-application vulnerability reports from a global researcher community.
  • +Lightweight onboarding.

Where it is not a CRA fit

  • !Designed primarily for website owners rather than CRA manufacturers of products with digital elements.
  • !No managed triage, no SLA, no audit trail suitable for a regulator-facing compliance posture.
  • !No Article 14 reporting workflow.
  • !No whitelabel branding, no policy publication tooling, no CSAF advisory generation.
  • !No published commitment around EU data residency.

The CRA gap

Open Bug Bounty does not target the CRA manufacturer use case. Article 13 requires a published CVD policy and a single point of contact under the manufacturer's own brand; Open Bug Bounty operates a shared community-run platform without whitelabel branding. Article 14 obligations (24h, 72h, final report to ENISA and the relevant national CSIRT) are entirely outside its scope.

Why teams pick CVD Portal for CRA

Five reasons EU manufacturers choose CVD Portal over Open Bug Bounty.

  1. 1

    Whitelabel intake under the manufacturer's own domain.

  2. 2

    Audit trail and acknowledgment SLA suitable for a regulator-facing compliance posture.

  3. 3

    Article 14 reporting workflow built in.

  4. 4

    CSAF 2.0 advisory generation built in.

  5. 5

    EU data residency by default.

Frequently asked

Is Open Bug Bounty good for CRA compliance?
Open Bug Bounty is a useful community resource for website owners but is not designed for CRA manufacturer compliance. It does not provide whitelabel intake under the manufacturer's domain, audit-grade tracking, or any Article 14 reporting workflow.
Can I use Open Bug Bounty alongside CVD Portal?
Some manufacturers maintain a researcher-friendly presence on Open Bug Bounty for their public web assets while operating their CRA-aligned intake, policy publication, and Article 14 reporting on CVD Portal. The two have different purposes.
Is there really no cost to start on CVD Portal?
The Free tier is €0/month and requires no payment information at signup. It covers the Article 13 baseline for an SME manufacturer.
What about national CSIRT reporting under Article 14?
CVD Portal tracks both the ENISA submission and the national CSIRT submission under Article 14, with the appropriate 24h, 72h, and final-report timers. Open Bug Bounty does not address this part of the obligation.
Does CVD Portal pay researchers?
CVD Portal does not run paid bounty programmes. It provides the intake, policy, acknowledgment, and reporting infrastructure that the CRA requires. Manufacturers that want to incentivise reports financially typically pair CVD Portal with a bug-bounty platform.

Switch to a CRA-native disclosure portal in under an hour

Article 13 baseline at €0/month. Article 14 reporting workflow included. EU data residency by default. No card required to start.

Start your free portalSee pricing

Other CVD Portal comparisons

CVD Portal vs HackerOneCVD Portal vs BugcrowdCVD Portal vs IntigritiCVD Portal vs YesWeHackCVD Portal vs disclose.ioCVD Portal vs Vicarius