security-testing | ethical-hacking | news

CRA-ready vulnerability disclosure with Hackrate managed VDP

This article looks at how organizations can start preparing their vulnerability disclosure handling for the Cyber Resilience Act, and how Hackrate managed VDP can support that work. It may be useful for teams that want a clearer, more structured way to manage external vulnerability reports.

Balazs PoznerMay 15, 2026 · 7 min read · Last Updated:

The Cyber Resilience Act makes vulnerability handling a regulated product security process for manufacturers of products with digital elements. Hackrate managed VDP helps organizations build a clear external reporting channel before CRA deadlines arrive.

Why vulnerability disclosure matters under the CRA

The Cyber Resilience Act, Regulation (EU) 2024/2847, introduces cybersecurity requirements for products with digital elements placed on the EU market. It applies to a broad range of software and hardware products, including connected products, applications, embedded systems, and certain remote data processing components. The CRA entered into force on 10 December 2024. Its main obligations apply from 11 December 2027, while Article 14 reporting obligations apply earlier, from 11 September 2026.

For manufacturers, the practical message is simple: vulnerability handling becomes part of product compliance.

The CRA does not only ask whether a product was secure when it was released. It expects manufacturers to handle vulnerabilities during the product support period. This includes receiving vulnerability information, assessing technical impact, taking corrective or mitigating measures, documenting the process, and escalating reports that may trigger regulatory reporting.

A Vulnerability Disclosure Program is one of the most practical ways to establish this capability. It gives external researchers, ethical hackers, customers, partners, and other third parties a clear way to report security issues. But for CRA readiness, a VDP must be more than a policy page. It must be connected to validation, remediation, documentation, and decision-making.

A vulnerability disclosure policy, a responsible disclosure program, and coordinated vulnerability disclosure describe the same basic operating model: an external party reports a vulnerability to the organization and the organization validates and remediates the issue. In this article, VDP is used as the practical term for that.

There are 2 dates that matter for vulnerability disclosure planning.

11 September 2026 is when Article 14 reporting obligations start to apply. From this date, manufacturers must report actively exploited vulnerabilities contained in products with digital elements and severe incidents that affect the security of those products.

11 December 2027 is when the main CRA obligations apply. This includes the wider product conformity framework and the vulnerability handling requirements in Annex I.

The operational problem companies need to solve

Many organizations still rely on a security email address, informal contacts, support tickets, or fragmented internal workflows to receive vulnerability information.

That model is weak for CRA readiness.

A mailbox can receive a report, but it does not create a controlled vulnerability handling process. It does not define what information researchers should submit. It does not validate whether the report is real. It does not filter spam, duplicates, incomplete submissions, or non-security issues. It does not assess exploitability or product impact. It does not automatically create evidence for compliance teams.

This is the gap Hackrate managed VDP is designed to close.

What a CRA-ready vulnerability disclosure process should do

A CRA-ready process should support the full path from external report to internal decision.

It should help the organization:

  • Receive vulnerability reports through a clear channel.
  • Collect the technical information needed for triage.
  • Validate whether the report is relevant, in scope, understandable, and technically credible.
  • Assess potential impact, exploitability, and prioritization.
  • Communicate professionally with the external reporter.
  • Provide internal teams with actionable technical information.
  • Support escalation to security, product, engineering, legal, and compliance teams.
  • Preserve a traceable record of intake, validation, communication, assessment, remediation input, and closure.

This is where a managed VDP becomes valuable. It turns external vulnerability reporting from an unmanaged intake point into a controlled workflow.

How Hackrate managed VDP helps

Hackrate managed VDP combines the Hackrate Ethical Hacking Platform with managed vulnerability report handling by Hackrate security experts. The service focuses on external vulnerability reports submitted by ethical hackers, researchers, or other external parties. The platform can also support centralized vulnerability management and report tracking where the customer wants to use it for that purpose.

Hackrate helps in six practical areas.

  1. Structured external vulnerability intake: Hackrate provides a professional reporting channel where external parties can submit vulnerability reports in a structured format.

The reporting form can be linked from the customer’s website, security page, or vulnerability disclosure policy page. This gives researchers a clear entry point and helps the customer avoid fragmented reporting through support or unmonitored mailboxes.

A structured report can capture key information such as the affected product, affected asset or component, technical description, reproduction steps, evidence, potential impact, and suggested mitigation. This improves the quality of the submission. This matters because early clarity saves time.

  1. Report validation and filtering: Hackrate reviews external submissions before they reach the customer’s internal teams.

This triage step helps determine whether the report is understandable, relevant, in scope, sufficiently documented, and technically credible. It also helps filter incomplete reports, duplicates, irrelevant findings, spam, and non-security submissions.

This is one of the strongest benefits for customers. Internal security and engineering teams should not spend their time processing noise. They should receive validated, actionable findings with enough technical context to decide what happens next.

  1. Risk and impact assessment: Hackrate assesses the potential severity and impact of validated vulnerability reports.

This assessment may consider confidentiality, integrity, availability, exploitability, attack complexity, likelihood of exploitation, affected product context, and recommended prioritization. The objective is to help the customer understand whether the issue requires routine remediation, urgent attention, or internal escalation for CRA-related assessment.

Hackrate does not make the customer’s legal or regulatory reporting decision. That remains the responsibility of the manufacturer. Hackrate provides the technical input and documentation that legal, compliance, security, product, and management teams need to make that decision.

  1. Communication with external reporters: Hackrate manages communication with the external reporter during the validation process. This improves the quality and professionalism of the disclosure experience. Researchers receive structured communication (instead of silence or unclear responses). The customer receives clarification where needed.

Good communication also reduces disclosure risk. Many public conflicts between researchers and companies start because the reporting process is unclear or slow.

  1. Remediation-oriented technical input: Hackrate provides practical technical input to support remediation or mitigation.

This may include general remediation direction, possible mitigation options, configuration or implementation considerations, prioritization guidance, and security improvement suggestions.

The purpose is not to replace the customer’s engineering team. The purpose is to give that team better technical context so it can act faster.

  1. Traceable vulnerability management: The Hackrate Ethical Hacking Platform provides a central environment for vulnerability reporting and handling. This supports traceability across report intake, validation, communication, assessment, remediation input and closure.

This is important because the compliance team needs evidence that the organization has a repeatable process, the security team needs visibility into report status, the engineering team needs actionable findings, and management needs confidence that serious issues are escalated appropriately. Our platform-based workflow helps align those needs.

Where CVE support fits

CVE support is not the main purpose of a CRA-ready VDP, but it can be valuable when the customer needs it. Hackrate is a CVE Numbering Authority. When a vulnerability is eligible, when a CVE record is useful, and when the customer requests and approves it, Hackrate can support CVE record creation and disclosure alignment.

What customers gain from Hackrate managed VDP

The CRA makes vulnerability handling a product security and compliance requirement. Manufacturers need a reliable way to receive external vulnerability reports, validate them, assess their impact, support remediation, document the process, and escalate serious vulnerability reports on time.

Hackrate managed VDP gives organizations a practical way to build that capability. It combines a structured reporting channel, expert triage, researcher communication, technical assessment, remediation-oriented input, traceable vulnerability report management, onboarding support, and optional CVE coordination when requested and approved by the customer.

For companies preparing for CRA obligations, the value is straightforward: Hackrate helps turn vulnerability disclosure into a controlled, auditable, and expert-supported process.

security-testingethical-hackingnews

Written by Balazs Pozner
CEO and Founder of HACKRATE Ltd.

Related ArticlesView All

thisclosed_#3
April 14, 2026 · 6 min read

Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution

venomnis
by Samuele Gugliottain bug-bounty,security-testing,ethical-hacking,writeup
ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement
January 26, 2026 · 5 min read

ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news
Press release: Hackrate becomes Hungary’s first CVE Numbering Authority
January 13, 2026 · 5 min read

This article explains Hackrate’s new status as Hungary’s first CVE Numbering Authority (CNA) and what that means in practice for coordinated vulnerability disclosure.

balazs pozner
by Balazs Poznerin hackrate,news
Let 2026 be the year bug bounty becomes part of how you build and operate
January 05, 2026 · 4 min read

This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.

balazs pozner
by Balazs Poznerin hackrate,ethical-hacking,security-testing,news,getting-started
Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate
July 16, 2025 · 2 min read

The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news,hackrate
Measuring the Success of Bug Bounty Programs: Outdated vs. Modern Approaches
March 25, 2025 · 4 min read

Shift from outdated metrics to advanced methods with Hackrate’s HackGATE to monitor the success of your Bug Bounty Programs.

Levente Molnar
by Levente Molnarin security-testing,ethical-hacking,news