Terms of Service & Shared Responsibility Agreement

Last updated: March 2026

Welcome to the CVD Portal (the "Platform"). By registering an account, configuring a workspace, or using any part of the Platform, you ("Tenant", "Manufacturer") explicitly agree to the following Terms of Service governing your Coordinated Vulnerability Disclosure (CVD) workflows.

1. Regulatory Compliance (EU Cyber Resilience Act)

The CVD Portal is specifically engineered to assist organizations in meeting the strict reporting and disclosure requirements mandated by the EU Cyber Resilience Act (Regulation EU 2024/2847). However, the Platform acts strictly as a data-processing utility. Ultimate regulatory liability rests with the Tenant.

1.1 Platform Capabilities (Our Responsibilities)

We provide the software architecture to facilitate compliance, including:

  • Intake & Timing: Maintaining a secure reporting pipeline (SPOC) and generating immutable audit logs to track the strict 48-hour acknowledgment regulatory clocks.
  • Data Export: Generating standard OASIS CSAF 2.0 (Common Security Advisory Framework) JSON advisories for resolved reports.
  • Threat Intelligence: Correlating your uploaded component lists automatically against the NVD (National Vulnerability Database).
  • Escalation Routing: Formatting 24-hour National CSIRT/ENISA immediate notification payloads for vulnerabilities you mark as Critical/High.

1.2 Tenant Obligations (Your Responsibilities)

By using the Platform, you acknowledge that you remain legally and operationally responsible for fulfilling the following engineering duties under the CRA:

  • SBOM & Hardware Tracking (PRE-7, PRE-8): You must actively maintain, generate (via your CI/CD pipelines), and upload accurate SPDX/CycloneDX Software Bill of Materials and Hardware Asset lists to the platform's registry.
  • Triage & Risk Assessment (VRF-1, VRF-2): You must technically reproduce incoming reports, determine their severity, and appropriately trigger the "Critical" escalation tools within the platform when societal risk exists.
  • Patch Development (RMD-2, PRE-10): You must write the actual software patches, test their efficacy, and securely host the compiled binaries or patches on your own infrastructure.
  • Active Monitoring (RCP-1): You must actively monitor the platform's alerts and your Single Point of Contact (SPOC) to ensure reports are acknowledged before deadlines expire.

2. Operations & Security

All vulnerability data is encrypted in transit and at rest. If your operations require End-to-End Encryption (E2EE) for sensitive payload exchange, you are responsible for safely generating and managing your own PGP asymmetric key pairs within the Platform's Security Settings.

3. Limitation of Liability

We shall not be held liable for regulatory fines, legal penalties, or security breaches resulting from a Tenant’s failure to acknowledge active vulnerability reports, accurately configure their components, or deploy protective patches. The Platform is provided "AS-IS", and reliance on the automated threat intelligence mapping does not constitute an exhaustive penetration test of your internal systems.

By registering, you confirm that you have read, understood, and will abide by this Shared Responsibility Agreement.