Contract Manufacturer CVD Policy Template

[COMPANY NAME] is a [contract electronics manufacturer / original design manufacturer (ODM) / electronics manufacturing services (EMS) provider] that manufactures products for brand owners and product companies. The products we manufacture are placed on the market under our customers' brand names, not under the [COMPANY NAME] brand.

This policy describes how [COMPANY NAME] handles security vulnerability reports related to products we manufacture, and clarifies the division of CRA responsibilities between [COMPANY NAME] and the brand owners who place products on the market.

[COMPANY NAME] is committed to:

• Maintaining secure manufacturing processes in accordance with CRA Annex I requirements applicable to manufacturers
• Routing inbound vulnerability reports to the appropriate brand owner
• Supporting brand owners in their CRA Article 13 and 14 compliance obligations
• Maintaining contractual frameworks with brand owner customers that document security responsibilities

This policy is published in accordance with [COMPANY NAME]'s own obligations as a manufacturer and supplier under the CRA, and to provide transparency to security researchers who may encounter our products.

CRA responsibility allocation

Under the EU Cyber Resilience Act (Regulation (EU) 2024/2847), the primary obligations for products with digital elements — including the Article 13 CVD policy requirement and Article 14 notification obligations — fall on the manufacturer who places the product on the EU market under their name or trademark.

For products manufactured by [COMPANY NAME] under brand owner instructions:

• The brand owner (our customer) is the manufacturer who bears CRA Article 13 and 14 obligations with respect to the finished product
• [COMPANY NAME] as the contract manufacturer bears CRA obligations with respect to our own manufacturing processes and any proprietary components we contribute to the product

[COMPANY NAME]'s CRA obligations as a contract manufacturer include:

• Maintaining secure development and manufacturing practices in accordance with Annex I Part II
• Notifying brand owner customers of any security vulnerabilities discovered in [COMPANY NAME]-contributed components or manufacturing processes that affect products we manufacture for them
• Supporting brand owner customers in meeting their Article 13 and 14 obligations by providing technical information about the manufacturing process and components
• Maintaining appropriate security documentation as required by brand owner customers for their conformity assessment

[COMPANY NAME]'s CRA obligations do NOT include (absent a bilateral agreement with the brand owner):

• Maintaining a public CVD policy for finished products placed on the market under the brand owner's name
• Filing Article 14 notifications to ENISA on behalf of the brand owner
• Publishing security advisories for vulnerabilities in products bearing the brand owner's trademark

This policy covers:

[COMPANY NAME]-branded products: Any hardware or software products that [COMPANY NAME] designs and places on the market under the [COMPANY NAME] brand. These products are listed at [PRODUCT PAGE URL]. For these products, [COMPANY NAME] bears full CRA manufacturer obligations including Article 13 CVD policy and Article 14 notification.

[COMPANY NAME]-contributed components: Proprietary firmware, software libraries, communication stacks, or hardware designs that [COMPANY NAME] develops and licenses to multiple brand owner customers for integration into their products. These components are covered by [COMPANY NAME]'s CVD programme — see [COMPONENT SECURITY PAGE URL].

Products manufactured under contract for brand owners: [COMPANY NAME] manufactures products under contract for brand owner customers. Vulnerability reports for these products should be directed to the relevant brand owner (see Section 4 — Inbound Report Routing). [COMPANY NAME] does not maintain a public CVD programme for these products independently.

[COMPANY NAME]'s own manufacturing infrastructure: Vulnerabilities in [COMPANY NAME]'s manufacturing IT systems, supply chain management systems, or factory floor automation are within [COMPANY NAME]'s own security programme scope and should be reported to [[email protected]].

If you have discovered a security vulnerability in a product manufactured by [COMPANY NAME] but bearing another company's brand name, please:

Step 1 — Identify the brand owner

The brand owner is typically identified on the product packaging, the product's FCC/CE documentation, or the company whose name appears on the accompanying warranty or regulatory documentation. If you cannot identify the brand owner, contact us at [[email protected]] and we will assist you.

Step 2 — Report to the brand owner

Report the vulnerability directly to the brand owner's security contact. If the brand owner has a CVD policy or security.txt file, use those channels.

Step 3 — Notify us if the vulnerability may be in a [COMPANY NAME]-contributed component

If you believe the vulnerability may originate in [COMPANY NAME]-contributed firmware, hardware design, or software components (rather than the brand owner's own additions), please also notify us at [[email protected]]. We will coordinate with the brand owner.

[COMPANY NAME] as routing facilitator:

If a researcher reports a branded product vulnerability to [COMPANY NAME] rather than the brand owner, [COMPANY NAME] will:

1. Acknowledge receipt within 48 hours
2. Identify the responsible brand owner
3. Forward the report to the brand owner's security contact within [3] business days
4. Inform the reporter that we have forwarded the report and provide the brand owner's public security contact
5. Follow up with the brand owner within [10] business days to confirm they have engaged with the reporter

[COMPANY NAME] will not leave a reporter in silence — even for vulnerabilities that are ultimately the brand owner's responsibility.

[COMPANY NAME] applies the following security practices to our manufacturing operations in accordance with CRA Annex I Part II:

Supply chain security:

• We verify the integrity and authenticity of electronic components sourced from our supply chain using [VERIFICATION METHODS, e.g. component authentication, approved vendor list, counterfeit component screening]
• We maintain a software bill of materials (SBOM) for [COMPANY NAME]-developed firmware and software components supplied to brand owner customers
• We report any confirmed or suspected supply chain compromise to affected brand owner customers within [2] business days of discovery

Secure manufacturing processes:

• Code signing: Firmware and software produced by [COMPANY NAME] for delivery to brand owners is signed using [SIGNING METHOD] with keys held in [HSM / SECURE STORAGE]
• Secure boot: Reference designs include secure boot configurations as standard, documented in our design security guidelines ([LINK])
• Cryptographic key management: Device-specific keys provisioned during manufacturing follow the procedures documented in [KEY MANAGEMENT POLICY LINK]

Vulnerability management for [COMPANY NAME]-contributed components:

• We monitor vulnerability disclosures in open-source and third-party components we integrate into our products and firmware libraries
• We notify brand owner customers of confirmed vulnerabilities in [COMPANY NAME]-contributed components within [5] business days of confirmation
• We maintain a component security bulletin for subscribed brand owner customers at [BULLETIN URL]

[COMPANY NAME] establishes a documented security responsibility framework with each brand owner customer as part of the manufacturing contract. This framework addresses:

Security responsibility allocation:

• Which CRA obligations the brand owner bears (Article 13, 14, conformity assessment)
• Which security obligations [COMPANY NAME] bears (Annex I manufacturing practices, component security notifications)
• How security information about the product is shared between [COMPANY NAME] and the brand owner

Vulnerability notification obligations:

• [COMPANY NAME]'s obligation to notify the brand owner of vulnerabilities discovered in [COMPANY NAME]-contributed components, including timeline (default: within [5] business days of confirmation)
• The brand owner's obligation to share information about vulnerabilities reported to them that may originate in [COMPANY NAME]-contributed components
• The process for coordinating patch development and delivery when a vulnerability spans both [COMPANY NAME]- and brand-owner-contributed elements

SBOM and technical documentation:

• [COMPANY NAME] provides brand owner customers with an SBOM covering [COMPANY NAME]-contributed firmware and software components
• Brand owners may incorporate [COMPANY NAME]'s SBOM into their own product SBOM for CRA conformity documentation purposes
• [COMPANY NAME] maintains technical security documentation sufficient for brand owners' conformity assessment

Contact for security contractual matters: [[email protected]]

For security vulnerability reports that require urgent handling — including active exploitation, potential safety risks, or critical infrastructure impact — use the following escalation contacts:

Emergency security contact: Telephone: [EMERGENCY PHONE NUMBER] (available [24/7 / business hours + on-call]) Email: [[email protected]]

Criteria for urgent escalation:

• Vulnerability is confirmed to be under active exploitation
• Vulnerability may cause physical harm or safety consequences
• Vulnerability affects products deployed in critical infrastructure
• Vulnerability involves a potential supply chain compromise of [COMPANY NAME] manufacturing

Urgent report routing timeline:

For urgent reports received by [COMPANY NAME] that require routing to a brand owner:

• Acknowledgment to reporter: within [2] hours during business hours
• Brand owner notification: within [4] hours of receipt (or immediately if outside business hours, via emergency contact)
• Follow-up with reporter: within [24] hours

Disclosure of brand owner identity for urgent reports:

For urgent reports involving confirmed or suspected active exploitation, [COMPANY NAME] will provide the reporter with the brand owner's public security contact details to enable direct coordination, even where [COMPANY NAME] would not normally disclose customer relationships.