CRA Article 15: Coordinated Vulnerability Disclosure
Manufacturers must handle vulnerability reports from third parties and coordinate disclosure with ENISA.
Last updated 2026-03-01
What Article 15 requires
Article 15 establishes requirements for coordinated vulnerability disclosure:
- Provide a contact point for vulnerability reports.
- Acknowledge receipt of valid reports in a timely manner.
- Coordinate disclosure timelines with reporters and ENISA where appropriate.
Supply-chain relevance
Supply-chain compromises like CVE-2024-3094 (xz-utils backdoor) demonstrate why Article 15 processes must extend to upstream component integrity, not only direct product vulnerabilities.
What good looks like
- Published security.txt or VDP page
- Documented triage SLA
- SBOM-linked impact assessment workflow
- Post-incident disclosure record retained for audit