Managing a vulnerability from initial report to final remediation and public disclosure involves a complex series of steps. The CVD Portal visualizes and enforces this entire journey through the Submission Lifecycle, providing a clear, auditable trail for every reported issue. This structured approach is essential for demonstrating compliance with the incident handling requirements of the Cyber Resilience Act (CRA) and ensuring that no vulnerability falls through the cracks.
The lifecycle is divided into distinct phases: New, Triaged, Validated, Remediating, Resolved, and Disclosed. As a report moves through these stages, the portal automatically triggers relevant workflows, such as notifying specific engineering teams, updating SLA timers, and prompting for necessary compliance documentation. State transitions are strictly controlled by role-based permissions; for example, only a Technical Assessor can move a report from 'Triaged' to 'Validated' after confirming the exploitability.
This lifecycle management system provides a high-level overview of your organization's security posture at any given moment. Dashboards display the volume of reports in each phase, helping management identify bottlenecks in the triage or remediation processes. By adhering to a standardized submission lifecycle, your team ensures consistent, repeatable, and legally defensible handling of all incoming security disclosures.