Mastering VDP under the CRA

Under the Cyber Resilience Act (CRA), handling vulnerabilities is no longer just a best practice—it's a legal obligation. Annex I, Part II, point 5 of the CRA specifically outlines the requirements for vulnerability handling. To bridge the gap between legal text and technical reality, the new prEN 40000-1-3 standard provides a structured framework for compliance.

The Standards: IEC 29147, 30111, and prEN 40000-1-3

While the CRA sets the legal requirement, international and European standards provide the "how-to."

• ISO/IEC 29147: Focuses on Vulnerability Disclosure. It dictates how to receive reports from the outside world (researchers, users).
• ISO/IEC 30111: Focuses on Vulnerability Handling Processes. It covers the internal mechanics of triage, analysis, and remediation.
• prEN 40000-1-3: The European specific standard for Vulnerability Handling under the CRA. It aligns ISO concepts with EU regulatory requirements, emphasizing risk-based rigor and machine-readable transparency.

What Makes a Good VDP Form?

Your Vulnerability Disclosure Policy (VDP) is the front door for security researchers. According to the standards, a compliant and effective VDP should be:

1. Accessible: easy to find, typically via /.well-known/security.txt (RFC 9116) or a "Security" link.
2. Secure: All submissions must use HTTPS. Offering PGP/GPG keys for encrypted communication is a requirement for handling sensitive exploit data (see [PRE-5-RQ-01-RE]).
3. Comprehensive Identification: Integration with a Software Bill of Materials (SBOM) is critical. The prEN 40000-1-3 standard highlights that identifying affected components starts with a clear inventory of upstream dependencies.
4. Safe Harbor: Explicitly state that you will not pursue legal action against researchers who follow your guidelines.

The Vulnerability Management Process

Once a report lands in your VDP form, the clock starts ticking. A robust process involves:

1. Acknowledgment: You must automate a receipt confirmation. prEN 40000-1-3 (RCP-1) requires acknowledging potential vulnerabilities within a defined timeframe.
2. Triage & Verification: Quickly validate the report. Is it real? Assign a severity score (CVSS).
3. Remediation: The CRA requires fixing vulnerabilities "without delay." Importantly, the standard mandates that security updates should be provided separately from functional updates whenever possible (see [RMD-2-RQ-02]).
4. Disclosure & Machine-Readability: Once fixed, you publish an advisory. For high-compliance scenarios, these bulletins should be machine-readable (using formats like CSAF or VEX) to allow automated consumption by your customers.
5. Regulatory Reporting: Under the CRA, you have strictly defined obligations to report actively exploited vulnerabilities to authorities within 24 hours.

Conclusion

A well-oiled VDP is your immune system. By following the prEN 40000-1-3 framework, you ensure that your organization doesn't just "do security" but builds a resilient, compliant, and transparent relationship with the global research community.