Article 14 runbook
Who opens the process, what gets attached in the first 24 hours, what changes by 72 hours, and where final-report evidence comes from.
For software and connected-product manufacturers selling into the EU
Be ready for CRA vulnerability reporting before the clock starts.
Answer product-security questions, attest every fact, and get a Cyber Resilience Act Article 14 reporting runbook, notification drafts, evidence register, vulnerability-intake policy, and tabletop drill. Flat $3,999, one time. Not legal advice, not certification, not a conformity assessment.
What you get
- 1. Attested intake. Scope one product, vulnerability channels, SBOM status, evidence locations, release process, reporting owners, and known gaps.
- 2. Validator-gated artifacts. The generator may only use your confirmed facts. Missing owners or tools stay in a gap register, never as current-practice claims.
- 3. A rehearsable pack. Download Markdown documents and use the tabletop drill to test who can prepare the 24-hour, 72-hour, and final-report materials.
Notification drafts
Early-warning, full-notification, and final-report templates that keep unknown facts as unknown instead of inventing legal conclusions.
Evidence register
A product-specific map of SBOMs, scanner alerts, tickets, versions, releases, advisories, and submission records — including what is missing.
The boundary is explicit
VulnBrief produces manufacturer-attested operational documentation. It does not file reports, provide legal advice, certify CRA compliance, perform a conformity assessment, or guarantee regulator acceptance. That restraint is part of the product: the pack is useful because it says what is known, what is unknown, and who owns the next action.
A real example, fully visible
Generated for Northwind Ledger — a fictional B2B SaaS manufacturer preparing for CRA Article 14 reporting. This is representative output from the same artifact shape your order uses.
CRA Article 14 Reporting Runbook — Northwind Ledger Cloud
Based on answers provided by Northwind Ledger on 2026-06-20. Self-attested by the manufacturer; not audited, certified, a conformity assessment, or legal advice.
Scope
This runbook covers Northwind Ledger Cloud, a B2B SaaS web application available to customers in Germany and the Netherlands. It is not legal advice and does not certify CRA compliance. It is an operational draft for handling actively exploited vulnerabilities and severe security incidents.
First 24 Hours
Open a Jira Security ticket labeled cra-review. The product security lead starts triage, records the awareness timestamp, affected version range, exploitation signal, customer impact, and evidence locations. If reporting is required, prepare the 24-hour early-warning draft without waiting for full root cause analysis.
Common questions
What data do you store?
Your intake answers, attestation timestamp, generated artifacts, order status, and support/refund signals. Generated packs are private behind an unguessable order link unless you explicitly publish the optional readiness page.
How long does it take?
The intake is the slow part because the facts are yours. Generation starts after checkout and typically finishes in minutes; the order page and email show status.
Is this legal advice?
No. It is operational documentation generated from your attested facts. Counsel should review any actual regulatory submission or customer-facing legal position.
Who is this not for?
Teams seeking a full CRA conformity assessment, a legal opinion, or someone to file notifications for them. VulnBrief is for building the reporting process and evidence pack before an event.