🛡️

Responsible Disclosure Programme

Security researchers and CRA-compliant software vendors working together to make connected products safer.

Register your productReport a vulnerability

Why responsible disclosure matters under the CRA

The EU Cyber Resilience Act (CRA) Article 14 requires manufacturers of products with digital elements to notify ENISA and market surveillance authorities of actively exploited vulnerabilities and severe incidents within strict deadlines: 24 hours for an early warning, 72 hours for a detailed report, and 30 days for a final report.

CRAReady automates these deadlines and workflow — and our vulnerability disclosure programme ensures that inbound reports from external researchers are immediately converted into tracked incidents with the correct Article 14 timelines, so no deadline is ever missed.

24h

Early warning deadline

72h

Detailed report deadline

30d

Final report deadline

How it works

🔍
STEP 1

Find a vulnerability

Discover a security issue in a product covered by our disclosure programme.

📋
STEP 2

Submit your report

Use the product's public disclosure page — no account required. Provide as much detail as you can.

📬
STEP 3

Receive confirmation

Get an instant acknowledgement with a unique reference number. The vendor is notified immediately.

🔐
STEP 4

Coordinated disclosure

Work with the vendor under responsible disclosure principles. We facilitate Article 14-compliant incident reporting.

Our commitments to reporters

We will acknowledge your report within 48 hours

Every disclosure receives a confirmation email with a reference number within seconds of submission.

We will provide an update within 14 days

Vendors using CRAReady commit to communicating the status of your report within 14 days.

We will not pursue legal action against good-faith reporters

As long as you comply with this policy and act in good faith, we will not initiate legal action.

We will credit you in advisories when you choose

Reporters who wish to be credited in public security advisories can request acknowledgement in their report.

Found a vulnerability?

If you have the product's public disclosure link, use it to submit your report directly — no account required. If you don't have a link, contact the vendor directly and ask them to register on CRAReady.

Public disclosure links follow this format:

craready.co.uk/disclose/[product-slug]

Are you a vendor? Register to get your product's disclosure page.

Scope & Safe Harbour

In scope

  • • Security vulnerabilities in registered products
  • • Vulnerabilities with CVE identifiers (existing or new)
  • • Supply chain vulnerabilities in open-source components
  • • Configuration weaknesses that could be exploited

Out of scope

  • • Denial of service attacks
  • • Physical security issues
  • • Social engineering of employees
  • • Reports that require breaking the law to discover

This programme operates under responsible disclosure principles. Participants agree not to publicly disclose vulnerabilities until the vendor has had a reasonable opportunity to address them.

For software vendors

Register on CRAReady to get a public disclosure page for each of your products. Inbound reports are automatically converted into Article 14-tracked incidents with the correct deadlines — keeping you compliant from day one.

Get started freeView pricing