Quick Start Guide
CVD Portal helps manufacturers meet the EU Cyber Resilience Act's coordinated vulnerability disclosure obligations (CRA Annex I Part II point 5). It gives your company a branded, public vulnerability disclosure portal, a submissions inbox to triage reports, and tooling for advisories and compliance evidence. This guide takes you live in four steps.
1. Create your account
Sign up with email or a Google or GitHub account. We send a verification link to confirm your address before you build your company workspace. Public email domains such as gmail.com cannot be used to create new accounts, which prevents brand impersonation.

2. Set up your workspace
From the dashboard, name your company and choose a unique portal slug such as acme-corp. The slug becomes your public reporting address at acme-corp.cvdportal.com. Invite teammates as ADMIN or MEMBER, and add your logo for a whitelabel portal.

3. Publish your CVD policy
Define what is in scope, how researchers should report, and your expected response times. The portal generates a matching security.txt so your disclosure contact is discoverable per RFC 9116.

4. Share your portal
Link to your public portal from your corporate website and your security.txt file. Researchers submit reports there, and your team triages them from the dashboard with a full CRA audit trail.

Key areas of the app
- Dashboard (https://cvdportal.com/dashboard). Overview of open submissions and compliance status.
- Submissions (https://cvdportal.com/submissions). The inbox for vulnerability reports.
- Analytics (https://cvdportal.com/analytics). Reporting trends and response metrics (PRO).
- Threat Intel (https://cvdportal.com/threat-intel). Vulnerability intelligence from the EU CIRCL feeds, including CVE and KEV data (PRO).
- Scanner (https://cvdportal.com/scanner). The CRA Exposure Scanner probes your domains for security.txt and CVD policy presence (Enterprise).
- Readiness (https://cvdportal.com/readiness). CRA readiness assessment, including the September 2026 reporting obligations and the December 2027 obligations tracker.
- Settings (https://cvdportal.com/settings). Branding, custom domain, team, notifications, SLA policies, SBOM, hardware registry, integrations, API keys, audit log.
- Billing (https://cvdportal.com/billing). Plan management.
- Feedback (https://cvdportal.com/feedback). Send feedback or a support request to the team.
Where to do X in the app
- Check your September 2026 CRA readiness, complete the Vulnerability Handling Procedure, and confirm your published reporting channel: Readiness (https://cvdportal.com/readiness) or Settings → September 2026 (https://cvdportal.com/settings/september-2026).
- Track the December 2027 CRA obligations and attach evidence: Settings → Obligations (https://cvdportal.com/settings/obligations).
- File or prepare an Article 14 report (24h early warning, 72h notification, final report): open the relevant report in Submissions (https://cvdportal.com/submissions) and use its Article 14 action.
- See who did what, when (append-only compliance trail): Settings → Audit log (https://cvdportal.com/settings/audit-log).
- Generate a CSAF advisory for a fixed vulnerability: open the submission in Submissions (https://cvdportal.com/submissions).
- Manage your plan or upgrade: Billing (https://cvdportal.com/billing).
Plans
CVD Portal has FREE, PRO, and ENTERPRISE plans. New companies can trial PRO features. PRO adds analytics, CSAF export, SBOM, hardware registry, monitoring sources, obligations drafting, security reviews, team members, and threat intel. ENTERPRISE adds the CRA scanner, API access, and EUDI wallet identity features. Upgrade under Billing (https://cvdportal.com/billing).