← CRA Glossary
Technical Security

Proof-of-Concept (PoC) Exploit

A proof-of-concept (PoC) exploit is working code or a detailed technical demonstration that shows a security vulnerability is real and exploitable. The existence of a public PoC significantly increases the urgency of a manufacturer's patch release and may affect CRA notification timelines.

A proof-of-concept (PoC) exploit is working code or a detailed technical demonstration that shows a security vulnerability is real and exploitable. The existence of a public PoC significantly increases the urgency of a manufacturer's patch release and may affect CRA notification timelines.

Technical Security
Free CVD portal →

What Is a Proof-of-Concept Exploit?

A proof-of-concept (PoC) exploit is a demonstration — typically working code — that verifies a claimed security vulnerability is technically valid and exploitable. PoCs vary in capability: a minimal PoC may only demonstrate that a crash or unexpected behaviour occurs, while a weaponised PoC delivers a full payload (e.g. remote code execution, credential theft). Security researchers publish PoCs to establish credibility, accelerate vendor responses, and enable defenders to test their own mitigations. PoC publication typically occurs after a patch is released (coordinated) or when a vendor has failed to respond within the disclosure deadline (uncoordinated). A public PoC dramatically reduces the effort required for an attacker to exploit the vulnerability.

CRA reference:Article 14

PoC Exploits and CRA Obligations

The CRA's Article 14 notification requirement is triggered by active exploitation — not by the existence of a PoC. However, a public PoC is a strong indicator that active exploitation is imminent or already underway, for several reasons:

  • Automated exploit frameworks (Metasploit, etc.) incorporate public PoCs within days.
  • Threat actors scan for unpatched vulnerable systems within hours of PoC publication.
  • The gap between PoC publication and first recorded exploitation is measured in days, not weeks.

When a public PoC for your product's vulnerability appears, treat it as a near-certain active exploitation signal: accelerate patch release, notify your CSIRT proactively, and monitor threat intelligence feeds for confirmed exploitation reports.

CRA reference:Article 14, Annex I Part II

Managing PoC Requests During CVD

During a coordinated disclosure, researchers may share PoC code with the manufacturer to facilitate triage and validation. Manufacturers should:

  1. Request the PoC — a PoC accelerates internal validation; a vulnerability that cannot be reproduced internally may be disputed or deprioritised incorrectly.
  2. Keep it confidential — the PoC should be shared only with the development team on a need-to-know basis; leakage extends the attack window.
  3. Negotiate PoC publication timing — most researchers are willing to delay PoC publication until after a patch is released; formalise this in the disclosure agreement.
  4. Do not demand PoC suppression indefinitely — requiring a researcher to permanently withhold the PoC is unreasonable; the norm is PoC release concurrent with or shortly after the patch.

If a researcher publishes a PoC before a patch is available, immediately assess whether exploitation is occurring and trigger the Article 14 notification process.

CRA reference:Article 14

PoC vs. Full Exploit: Risk Differentiation

Not all PoCs represent equal risk:

  • Crash PoC (DoS) — demonstrates a denial-of-service condition; exploitation causes service disruption but not code execution. Lower severity than RCE PoCs but still urgent for availability-critical systems.
  • Authentication bypass PoC — demonstrates that access controls can be circumvented; severity depends on what is accessible post-bypass.
  • RCE PoC — demonstrates arbitrary code execution; the highest-severity class; requires immediate patch release regardless of CVSS methodology.
  • Weaponised exploit — a PoC that delivers a complete payload against a specific target; effectively an active attack tool. If discovered for your product, assume active exploitation.

The CVSS Temporal Score's 'Exploit Code Maturity' metric formally accounts for this progression (Proof-of-Concept → Functional → High), allowing advisories to reflect changing risk as PoC sophistication evolves.

CVD Portal makes Proof-of-Concept (PoC) Exploit compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does a public PoC automatically trigger the CRA's 24-hour ENISA notification?+

Not automatically. The trigger is 'active exploitation', not PoC existence. However, a public PoC makes active exploitation highly likely in a short timeframe. Manufacturers should treat public PoC publication as a near-activation trigger for notification readiness: prepare the notification, confirm exploitation status through threat intelligence, and be ready to submit within hours if exploitation is confirmed. Waiting for definitive exploitation confirmation while a PoC is public is a compliance risk.

Should we ask researchers to share their PoC with us before we validate the vulnerability?+

Yes. Requesting PoC code from the reporting researcher is standard and appropriate during CVD triage. A working PoC allows your engineering team to reproduce and validate the vulnerability, which is necessary for accurate CVSS scoring and effective patch development. If a researcher declines to share the PoC (common with zero-day research), the triage must proceed based on the written description. Never demand a PoC as a condition of accepting a report.

What should we do if a PoC for our product appears on GitHub before we have a patch ready?+

Immediately escalate to the highest priority: verify the PoC's validity, assess exploitation severity and realistic attacker capability, publish any available mitigations (firewall rules, configuration changes, feature disablement) even without a full patch, notify your national CSIRT proactively, and accelerate the patch development timeline. Update your security advisory draft with interim mitigation guidance. Document all steps taken — regulators will review your response timeline in the event of enforcement inquiry.

Related terms

Zero-Day VulnerabilityA zero-day vulnerability is a security flaw that is unknown to the vendor and for which no patch exists at the time of discovery or exploitation. Zero-day vulnerabilities are particularly significant under the CRA because their active exploitation triggers immediate notification obligations to ENISA within 24 hours.Common Vulnerability Scoring System (CVSS)CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities, producing a numerical score from 0 to 10. Manufacturers use CVSS scores to prioritise remediation and to communicate risk in security advisories required under the CRA.Vulnerability HandlingVulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.Security AdvisoryA security advisory is a public document published by a manufacturer to inform users of a security vulnerability in a product, the severity of the issue, and how to remediate it. Annex I Part II of the CRA requires manufacturers to publish security advisories when releasing vulnerability fixes.

CRA articles using this term

Article 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Proof-of-Concept (PoC) Exploit fits into your complete CRA compliance programme.

View checklists →