Bug bounty programmes pay researchers for valid vulnerability reports. They attract far more researcher attention than an unpaid channel, and far more report volume with it. Under the Cyber Resilience Act they are optional. What Annex I Part II requires is a coordinated vulnerability disclosure policy and a working reporting channel.
One pipeline, two programmes
Our new guide explains the sensible sequence. A working CVD process first, a bounty on a dedicated platform second, with every report landing in the same compliance workflow so advisories, researcher acknowledgments, and Article 14 assessments happen in one place. CRA Portal runs no payouts itself, it is the disclosure and compliance layer underneath.
AI triage for bounty-scale volume
The guide also covers AI Triage on the Enterprise tier. Incoming reports get suggested severity, CVSS scoring, Article 14 risk assessment, and duplicate detection against open reports, the EU Vulnerability Database, and CVE records. The AI only proposes, your team decides.
Read the full guide to running a bounty alongside your CVD process.
Read More