ComparisonEuropean bug bounty and VDP platform

YesWeHack vs CVD Portal

European bug bounty, VDP, and attack surface platform. How does YesWeHack compare to CVD Portal for an EU manufacturer subject to the Cyber Resilience Act?

Headquarters
Paris, France
Category
European bug bounty and VDP platform
Pricing model
VDP, bug bounty, and pentest plans priced on request.

How they compare on CRA-critical features

Five capabilities that matter most for EU manufacturers under Articles 13 and 14 of Regulation (EU) 2024/2847.

Feature
YesWeHack
CVD Portal
Whitelabel CVD intake portal (Article 13 SPOC)
Included on Free tier
Article 14 reporting workflow (24h / 72h / final)
Not advertised
Built in. Guided manual on Free and Pro, automated submission to ENISA Single Reporting Platform on Enterprise
EU data residency by default
Varies; often requires enterprise contract
Default for every customer
CSAF 2.0 advisory generator
Not advertised
Included from Pro
Published free tier suitable for SMEs
Varies
€0/month, no card required

Where YesWeHack is strong

  • +European company headquartered in France with EU data residency.
  • +Strong public-sector presence in France and other EU member states.
  • +Combined product portfolio: VDP, bug bounty, pentest, and attack surface management.
  • +Recognised researcher community across the EU.

Where it is not a CRA fit

  • !Like Intigriti, the primary positioning is crowdsourced security testing, not CRA manufacturer compliance.
  • !No publicly advertised Article 14 reporting workflow to ENISA or national CSIRTs.
  • !No published feature page for CSAF 2.0 advisory generation as part of the standard product.
  • !Free intake is offered but is not framed around the CRA Article 13 publication obligation.

The CRA gap

YesWeHack is an excellent EU bug-bounty and VDP platform but operates in a different category from a CRA compliance product. Article 13 (policy publication and single point of contact) is partially covered through the VDP workflow; Article 14 (24h, 72h, final report to ENISA and the relevant national CSIRT) is not publicly addressed in the product surface.

Why teams pick CVD Portal for CRA

Five reasons EU manufacturers choose CVD Portal over YesWeHack.

  1. 1

    Built around the CRA manufacturer obligation set rather than the crowdsourced testing market.

  2. 2

    Free tier with Article 13 publication, intake, and 48h acknowledgment timing at €0/month.

  3. 3

    Article 14 reporting timers and ENISA submission flow are part of the product.

  4. 4

    CSAF 2.0 advisory generation built in.

  5. 5

    Predictable published pricing across tiers.

Frequently asked

Is YesWeHack EU-based?
Yes. YesWeHack is headquartered in Paris, France and operates with EU data residency. It is one of the leading European bug-bounty and VDP platforms.
Why compare YesWeHack and CVD Portal at all?
Manufacturers that have heard of YesWeHack often arrive at the same question that brought them to a bug-bounty platform: do we have to do something about the EU Cyber Resilience Act. The two platforms answer different parts of that question. YesWeHack handles crowdsourced security testing; CVD Portal handles the CRA Article 13 baseline and Article 14 reporting cascade.
Does YesWeHack publish CSAF advisories?
CSAF 2.0 advisory generation is not a publicly advertised capability inside the YesWeHack VDP product. CVD Portal includes a CSAF 2.0 advisory generator from the Pro tier.
Can I migrate a YesWeHack VDP to CVD Portal?
Yes. Export existing reports, point your security.txt and policy URL at the new whitelabel portal, and forward replies from the old inbox while external references update. Most migrations are completed in an hour for the technical work.
Is the CVD Portal Free tier really enough for Article 13?
For a typical SME manufacturer of a single product line, the Free tier covers the published policy, the single point of contact (whitelabel intake email), the 48h acknowledgment, and a researcher-friendly submission form. That is the Article 13 baseline.

Switch to a CRA-native disclosure portal in under an hour

Article 13 baseline at €0/month. Article 14 reporting workflow included. EU data residency by default. No card required to start.

Start your free portalSee pricing

Other CVD Portal comparisons

CVD Portal vs HackerOneCVD Portal vs BugcrowdCVD Portal vs IntigritiCVD Portal vs Open Bug BountyCVD Portal vs disclose.ioCVD Portal vs Vicarius