24 Hours to Report
The CRA mandates that manufacturers report actively exploited vulnerabilities to ENISA within 24 hours. This isnβt a suggestion β itβs a legal requirement starting September 2026.
The CRA Reporting Timeline
Hour 0: Vulnerability discovered/reported
β
Hour 24: Early warning notification to ENISA
β
Hour 72: Vulnerability notification with assessment
β
Day 14: Detailed vulnerability report
β
Day 30: Final report (if not resolved earlier)Building Your Vulnerability Handling Process
1. Intake: Accept Reports from Multiple Channels
# security.txt (RFC 9116) - Place at /.well-known/security.txt
Contact: mailto:security@yourcompany.com
Contact: https://yourcompany.com/security/report
Encryption: https://yourcompany.com/.well-known/pgp-key.txt
Acknowledgments: https://yourcompany.com/security/acknowledgments
Policy: https://yourcompany.com/security/policy
Preferred-Languages: en
Canonical: https://yourcompany.com/.well-known/security.txt
Expires: 2027-01-01T00:00:00.000Z2. Triage: Assess Severity and Impact
class VulnerabilityTriager:
def assess(self, report):
severity = self.calculate_cvss(report)
assessment = {
"cvss_score": severity.score,
"cvss_vector": severity.vector,
"affected_products": self.find_affected_products(report),
"actively_exploited": report.exploitation_evidence,
"cra_reporting_required": severity.score >= 7.0 or report.exploitation_evidence,
"deadline": self.calculate_deadline(report),
}
if assessment["cra_reporting_required"]:
# Start 24-hour clock
self.start_enisa_timer(assessment)
return assessment3. ENISA Reporting
class ENISAReporter:
ENISA_ENDPOINT = "https://reporting.enisa.europa.eu/api/v1"
async def early_warning(self, vulnerability):
# Must be sent within 24 hours
payload = {
"type": "early_warning",
"product": vulnerability.product_name,
"severity": vulnerability.cvss_score,
"actively_exploited": vulnerability.is_exploited,
"description": vulnerability.brief_description,
"estimated_impact": vulnerability.estimated_users_affected,
}
response = await self.submit(payload)
return response
async def full_notification(self, vulnerability):
# Must be sent within 72 hours
payload = {
"type": "vulnerability_notification",
"cve_id": vulnerability.cve_id,
"technical_details": vulnerability.technical_analysis,
"affected_versions": vulnerability.affected_versions,
"mitigation": vulnerability.temporary_mitigation,
"patch_timeline": vulnerability.expected_patch_date,
}
response = await self.submit(payload)
return response4. Patch and Notify Users
# Automated security advisory pipeline
security-advisory:
stage: notify
when: manual # Security team triggers
script:
- python generate_advisory.py --cve $CVE_ID --severity $SEVERITY
- python notify_users.py --product $PRODUCT --advisory advisory.json
- python update_sbom.py --product $PRODUCT --version $PATCHED_VERSIONCoordinated Vulnerability Disclosure Policy
Your public vulnerability disclosure policy must include:
- How to report β email, web form, encrypted channels
- Response timeline β acknowledge within 48 hours
- Coordination β work with reporter before public disclosure
- Safe harbor β security researchers wonβt face legal action
- Credit β acknowledge reporters (with permission)
- Disclosure timeline β typically 90 days, shorter for active exploitation
Tooling Recommendations
- Vulnerability intake: MITRE Vulnogram, GitHub Security Advisories
- Tracking: JIRA with security workflow, or dedicated tools like DefectDojo
- SBOM scanning: Grype, Trivy, or Snyk for continuous monitoring
- Reporting: Automated ENISA reporting integration
- Communication: Pre-written advisory templates, distribution lists
Key Takeaways
- Build the process NOW β September 2026 is the first enforcement date
- security.txt is a quick win β takes 5 minutes, signals maturity
- Automate what you can β SBOM scanning, severity assessment, notification
- Practice the process β tabletop exercises with your security team
- Document everything β regulators will ask for evidence
Need help building CRA-compliant vulnerability handling? I help organizations design security response processes. Get in touch.