← CRA reporting guides

Article 14 readiness

How should a software team use SBOMs for CRA reporting readiness?

Treat the SBOM as one evidence source, not the whole process. The pack should say which product surfaces are covered, what is missing, where artifacts are stored, and who can retrieve them during the first reporting window.

What VulnBrief does with this

The paid pack asks for the related facts, shows them back on an attestation screen, and then generates operational artifacts only from what you confirmed. Missing owners or evidence sources stay in the gap register.

Related intake fields: sbom_status, scan_sources, evidence_locations.

Build the product-specific version

Get the runbook, notification drafts, evidence register, vulnerability-intake policy, and tabletop drill for one product. Flat $3,999, one time. Not legal advice, not certification.

Start the attested intake →