Back to blogs

Blog | OCT 08, 2025

Deep Dive - CRA Requirement (6) Vulnerability Sharing & Reporting

Cyber Resilience Act

What does it really mean to enable the responsible sharing of vulnerability information? In this deep dive into CRA Requirement (6), we explore why manufacturers must provide clear channels, such as a dedicated security contact, to collect reports on vulnerabilities in their products and third-party components. This requirement is about more than compliance: it builds a bridge between users, researchers, and manufacturers, ensuring that critical issues are reported quickly and handled responsibly.

The sixth vulnerability-handling requirement under the EU Cyber Resilience Act (CRA) emphasizes the importance of accessible communication channels for reporting vulnerabilities.

“(6) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;”

This requirement makes it clear that manufacturers cannot treat vulnerability reporting as an afterthought. A clear, advertised point of contact is mandatory, enabling security researchers, customers, and partners to responsibly share information that could impact product security.

What this requirement means

Think of this requirement as setting up a clear “front desk” for security issues. Without it, valuable information about flaws may never reach the right people, or worse, may be disclosed publicly without giving the manufacturer time to respond.

For manufacturers, this means that they must provide a dedicated contact address to handle vulnerability reports. This contact information must be easy to find, typically published on the company’s website and included in product documentation, so that researchers, customers, and partners can quickly access it. Manufacturers must also ensure that any reports received through this channel are properly tracked, assessed, and acted upon in a systematic manner. In addition, they are required to inform relevant authorities, such as national CSIRTs, about how they can reach the manufacturer for urgent vulnerability coordination.

This requirement applies not only to vulnerabilities in the manufacturer’s own code but also to third-party components integrated into the product, where timely reporting can accelerate remediation across the supply chain.

Relevant Standards and Guidelines

Although the CRA does not prescribe exact technical standards, several frameworks support compliance with this requirement:

  • EN ISO/IEC 29147: provides guidelines for establishing communication channels for vulnerability disclosure, defining responsibilities and processes for receiving reports. It does not, however, fully address reporting on third-party components.

  • EN ISO/IEC 30111: complements 29147 by defining how reported vulnerabilities should be investigated, resolved, and disclosed. Its focus is on software, with limited guidance for broader digital elements.

  • ETSI EN 303 645: (consumer IoT) requires manufacturers to provide contact information for vulnerability reporting and refers to 29147, but details remain generic.

Together, these standards form a foundation, but as ENISA notes, gaps remain in fully covering third-party component reporting. To bridge these gaps, manufacturers should combine international standards with national/EU frameworks (e.g. ENISA guidance, CSIRTs Network collaboration) and adopt industry best practices like the FIRST PSIRT Services Framework or NIST SP 800-61 Rev. 2.

How to approach Implementation

To implement this requirement effectively, manufacturers should begin by setting up a dedicated contact point for handling incoming vulnerability reports, typically in the form of an email address or a web form, and ensure that this information is prominently displayed on the company website, product pages, and product documentation. Furthermore, manufacturers need clear processes with well-defined roles, responsibilities, and escalation steps when a vulnerability is reported.

In addition, it is recommended to support secure communication by offering encryption options such as a PGP key for sensitive submissions. They must also inform relevant authorities by registering their contact details with national CSIRTs and ensuring that they are available for timely coordination when needed. The contact point should be directly integrated into the company’s vulnerability handling processes, connecting it to internal triage, remediation, and disclosure workflows.

This requirement also creates an opportunity to align implementation with the Digital Product Passport (DPP) framework under the Ecodesign for Sustainable Products Regulation (ESPR). As DPPs will become mandatory across product categories in the coming years, manufacturers can use them as a central tool to make vulnerability contact information, documentation and related tools accessible to all stakeholders. By embedding the contact point and related security information directly into the DPP, companies can avoid maintaining multiple systems and reduce the risk of outdated information being included in product descriptions. Updates can be managed centrally, ensuring that contact details remain accurate and synchronized across the product portfolio.

Strategic Considerations beyond Compliance

For many companies, this requirement is not just about publishing an email address, it is about building trust with the security community. Security researchers and customers are far more likely to report vulnerabilities responsibly if they know their reports will be acknowledged and acted upon in a timely and structured way.

A well-run contact point or a dedicated Product Security Incident Response Team (PSIRT) can become a true strategic asset for an organization. It strengthens collaboration with researchers, customers, and authorities, creating a foundation for coordinated vulnerability handling. It also accelerates vulnerability response by ensuring that critical information flows quickly to the right teams inside the company, allowing issues to be addressed more efficiently. At the same time, it demonstrates accountability and transparency, which can serve as a competitive advantage in markets where trust is a key differentiator.

Ultimately, organizations that view this requirement as an opportunity rather than a burden will not only comply with the CRA but will also improve their overall security posture, increase resilience, and strengthen customer confidence.

In our next post, we will explore Requirement (7): Security Update Distribution.

Previous Blog CRA Vulnerability Handling Requirement (5): https://www.tributech.io/blog/cra-vulnerability-handling-requirement-5-coordinated-vulnerability-disclosure-policyNext Blog CRA Vulnerability Handling Requirement (7): https://www.tributech.io/blog/cra-vulnerability-handling-requirement-7-security-update-distribution

CRA Learning Path

Get the CRA Newsletter and unlock everything you need to stay compliant with CRA regulations: