Skip to main content

CVD Portal — feature guide

Submissions inbox

All vulnerability reports submitted through your public portal land in Submissions (https://cvdportal.com/submissions). Each submission tracks reporter contact details, affected product, description, severity, and status through the disclosure lifecycle. The full timeline is recorded so you can evidence compliant handling under the CRA vulnerability handling requirements (Annex I Part II).

When a researcher submits a report, they are shown a reference number (for example CVD-1A2B3C4D) and a private link to track its status. If they provided a contact email, that confirmation and link are also emailed to them. The status page (at your portal, /status/) shows a reporter-safe view, current status (Received, Acknowledged, In progress, Resolved), submitted and last-updated dates, but never your internal notes. This keeps researchers informed without an account, which reduces duplicate "any update?" emails and discourages premature public disclosure.

Researchers can also report anonymously by leaving the contact email empty. Anonymous reports are stored without the reporter's IP address (metadata minimisation per BSI TR-03183-3), and the form tells the researcher that anonymous reports can only be processed to a limited extent if follow-up questions are impossible.

CSAF advisories (PRO)

Export advisories in CSAF (Common Security Advisory Framework) format from a submission at https://cvdportal.com/submissions. CSAF is the machine-readable advisory format used by EU CSIRTs and required in modern advisory pipelines. Fixed-vulnerability disclosure is a CRA obligation (Annex I Part II point 4).

Researcher acknowledgment

An advisory can credit the reporting researcher by name or alias. In the advisory editor (Public Advisory panel on a submission), enter the researcher's name or alias and tick the consent checkbox confirming the researcher has given permission to be credited. The credit then appears in an Acknowledgments section on the public advisory page and in the CSAF export's document.acknowledgments array. Without the consent checkbox the name is stored but never shown publicly. This follows the joint CISA/NSA/JPCERT/NCSC CVD guidance on recognising researchers, and the disclosure policy template's promise to credit reporters who want it.

CSAF provider hosting (PRO)

Your public portal also acts as a CSAF provider. It serves a provider-metadata.json at https://.cvdportal.com/.well-known/csaf/provider-metadata.json plus a directory-based distribution (index.txt, changes.csv, and one CSAF document per published advisory, named after its lowercased advisory reference). This is the URL that the CSAF field of your generated security.txt points to, as recommended by BSI TR-03183-3. Tools and aggregators can discover and mirror your advisories automatically. No setup is needed; publishing an advisory is enough.

AI triage (Enterprise, opt-in)

When enabled under Settings → AI triage (https://cvdportal.com/settings/ai-triage), AI triage pre-assesses new submissions: suggested severity, CVSS score, vulnerability type, a summary, and whether the issue looks reportable under CRA Article 14. Suggestions never overwrite human decisions.

Threat intelligence (PRO)

Threat Intel (https://cvdportal.com/threat-intel) is a mirror of the EU CIRCL vulnerability data (CVE records, known-exploited-vulnerability entries, and sightings) that you can search and correlate with your products.

CRA Exposure Scanner (Enterprise)

The Scanner (https://cvdportal.com/scanner) scans your domains for the presence and validity of security.txt (RFC 9116) and a reachable CVD policy, the externally visible signals of CRA CVD compliance. Each scan also produces a BSI TR-03183-3 conformance checklist covering every MUST and SHOULD requirement for the security.txt (canonical URI, contact addresses, OpenPGP encryption key, preferred languages, policy link, CSAF provider metadata, expiry window, and the OpenPGP signature), so you can see exactly how far beyond the baseline your public channel goes.

SBOM and hardware registry (PRO)

Store software bills of materials at Settings → SBOM (https://cvdportal.com/settings/sbom) and hardware product records at Settings → Hardware (https://cvdportal.com/settings/hardware), supporting the CRA SBOM requirement (Annex I Part II point 1). You can upload a CycloneDX or SPDX JSON file (SPDX 2.x and SPDX 3.x JSON-LD are both accepted), or a native dependency manifest (package.json, requirements.txt, go.mod, Cargo.toml, pom.xml, Gemfile.lock).

Every CycloneDX or SPDX upload also produces a BSI TR-03183-2 conformance report: whether the file meets the minimum specification version (CycloneDX 1.6 or SPDX 3.0.1) and which of the TR's required data fields (SBOM creator and timestamp, and per component the creator, name, version, filename, dependencies, licences, hash and file properties) are present. Older versions and missing fields never block ingestion; they are reported so you can improve your SBOM pipeline. A free public version of this validator is at https://cvdportal.com/tools/sbom-validator and runs entirely in the browser.

SBOM connectivity from CI/CD (Enterprise)

Instead of uploading by hand, Enterprise plans can push an SBOM automatically from a build pipeline so the supply-chain view never goes stale. Send it to the public API with POST /api/v1/sbom, a Bearer API key, and a JSON body of { "filename": "sbom.cdx.json", "content": "" }. The latest push, from CI or the dashboard, becomes the company's active SBOM. Each push is recorded in the audit log and can notify a webhook via the sbom.ingested event. The daily supply-chain scan then rechecks the pushed components against known advisories and alerts on any new match.

Products — CRA compliance workspace (Compliance)

The Products workspace (Compliance → Products, https://cvdportal.com/products) runs the CRA conformity work per product: Annex III/IV classification and the Article 32 route, the documented Article 13 risk assessment with STRIDE threat modelling and risk scoring, the 21-requirement Annex I checklist with per-requirement owners, due dates and deadline reminders, Clause 6 and 7 artifact drafting, the draft EU Declaration of Conformity (Annex V) with its simplified Annex VI form and the Annex VII technical-documentation index with export (optionally behind a four-eyes export approval), CE marking guidance, the Annex II user-information sheet with support-period management, and monitoring with assessment snapshots. A company-wide executive readiness briefing (print / PDF) summarises portfolio progress, deadline posture and approval state for leadership. See the dedicated Products workspace guide for details.

Monitoring sources and obligations (PRO)

Monitoring sources (Settings → Monitoring sources, https://cvdportal.com/settings/monitoring-sources) let you register feeds to watch for vulnerabilities relevant to your products. The obligations tracker (Settings → Obligations, https://cvdportal.com/settings/obligations) helps prepare CRA-mandated notifications and track the December 2027 obligations. The Article 14 reporting flow that applies from 11 September 2026 is driven from each submission.

Email notifications

Configure alert recipients and toggles at Settings → Notifications (https://cvdportal.com/settings/notifications). When "New Vulnerability Reports" is on, every new portal submission is emailed to your alert recipients (or, if none are configured, to your dashboard users). Researchers who left a contact email receive an automatic acknowledgment email when you acknowledge their report. Enterprise plans also receive Article 14 deadline emails from the hourly deadline monitor: an approaching warning before each stage (24-hour early warning, 72-hour notification, final report) and an alert if a stage deadline is missed. These emails are sent in addition to any webhooks you have configured. A welcome email with your portal URL arrives after your email address is verified.

The Compliance Deadlines section on the same page controls the Annex I checklist reminders (Compliance plan and higher): a daily job emails each requirement owner when an owned item comes due (7 days before) and again once it is overdue, and escalates items that stay overdue past the configurable threshold (default 7 days) to the escalation contact you set there. Without an escalation contact, escalations go to the alert recipients.

Team, API, integrations

  • Team members (PRO). Invite colleagues with roles at Settings → Team (https://cvdportal.com/settings/team). Three roles are available: Admin (full control), Member (read and triage), and Auditor — a read-only account for an external assessor or notified body that can optionally expire on a set date, does not consume a team seat (up to 5 per company), and never receives operational alert emails. Auditor sessions cannot change anything; login stops working after the expiry date.
  • Public API (Enterprise). Bearer-token API under /api/v1 for automating submissions, data access, SARIF pipeline findings, and SBOM pushes (POST /api/v1/sbom). Create and manage API keys at Settings → API Keys (https://cvdportal.com/settings/api-keys). Each key can be scoped to only what it needs (for example push SBOMs but not export data), given an expiry (30 days, 90 days, 1 year, or never), and restricted to specific source IPs or CIDR ranges. Keys are shown once at creation, and can be rotated (issue a new secret, old one stops working immediately) or revoked at any time.
  • Integrations. Webhooks for submission, SLA, Article 14, threat-intel, and SBOM-ingested events at Settings → Integrations (https://cvdportal.com/settings/integrations).

Compliance badge

Every plan can embed a compliance badge on its own website or repository. Settings → Compliance Badge (https://cvdportal.com/settings) gives copy-paste HTML and Markdown snippets plus a live preview. The badge image is served from https://cvdportal.com/api/badge/ and links to your public verification page at https://cvdportal.com/verify/, so it doubles as a trust signal and a link back for researchers.

Portal attribution on the free plan

Free portals carry a small "Vulnerability disclosure powered by CVD Portal" line in the footer of the public researcher pages. Paid plans (Pro and Enterprise) do not show it.

Two-factor authentication

Add a second step to password sign-in at Settings → Account (https://cvdportal.com/settings/account). Scan the QR code with any authenticator app (Google Authenticator, 1Password, Authy), confirm a 6-digit code, and save the one-time backup codes shown once at enrolment. After that, signing in with your password also asks for the current authenticator code (or a backup code). Turning 2FA off requires your password. Two-factor applies to password login only. Accounts that sign in through Google, GitHub, or SAML SSO rely on that provider's own MFA. For account safety, repeated failed sign-ins temporarily lock an account for 15 minutes.

Audit log

Every significant action is recorded in an append-only audit log at Settings → Audit log (https://cvdportal.com/settings/audit-log): actor, timestamp, IP, country, and action type. This is your paper trail for CRA evidence.

September 2026 readiness

The Readiness section (https://cvdportal.com/readiness), and Settings → September 2026 (https://cvdportal.com/settings/september-2026), includes a dedicated September 2026 view for the CRA reporting obligations (Article 14) that apply from 11 September 2026: early warning within 24 hours, notification within 72 hours, and final reports for actively exploited vulnerabilities and severe incidents. It also tracks the three required legal artifacts, the Vulnerability Handling Procedure, and your externally published reporting channel.

The generated security.txt follows the BSI TR-03183-3 layout: Canonical, Contact (email plus your portal's submission form), Encryption (your PGP key, served from your portal at /pgp-key.asc when one is saved under Settings → Policy & Security), Acknowledgments (when you save an acknowledgments page URL there), Preferred-Languages, Policy, CSAF (on plans with CSAF export) and Expires. After you verify a domain, CVD Portal remembers it and emails your admins when the published security.txt is missing, expired or expiring within 30 days, plus a quarterly reminder to review the file's contents, matching the TR's quarterly-check requirement.

CVD policy template and customisation

Your public policy page (at your portal, /policy) uses a built-in template aligned with BSI TR-03183-3 section 4.4: confidential handling, no disclosure of reporter personal data without consent, no criminal charges for good-faith research, no NDA requirement, an anonymous-reporting statement, response times, a 90-day coordinated disclosure window, a visible last-updated date and a yearly review commitment. You can override the text under Settings → Policy & Security (English and German), and a "Reset to latest template" button removes your override so future template improvements apply automatically.

Feedback and support

Use the Feedback page (https://cvdportal.com/feedback) to send a message to the team. The floating chat assistant answers questions about the CRA and about using CVD Portal, with citations to the official documentation, and points you to the exact page for what you want to do.

If something breaks, you do not have to leave the page. Every error message and the error page itself carry a "Report this failure" button. It captures the error details and the page you were on, lets you add an optional note about what you were doing, and sends the report straight to the team. Reports from signed-in users are logged as a bug on your account so we can follow up.