Full sample, no email gate
A real sample CRA reporting pack
This sample uses a fictional B2B SaaS manufacturer so you can inspect the artifact shape before paying. It is not legal advice, not certification, and not a conformity assessment.
CRA Article 14 Reporting Runbook — Northwind Ledger Cloud
Based on answers provided by Northwind Ledger on 2026-06-20. Self-attested by the manufacturer; not audited, certified, a conformity assessment, or legal advice.
Scope
This runbook covers Northwind Ledger Cloud, a B2B SaaS web application available to customers in Germany and the Netherlands. It is not legal advice and does not certify CRA compliance. It is an operational draft for handling actively exploited vulnerabilities and severe security incidents.
First 24 Hours
Open a Jira Security ticket labeled cra-review. The product security lead starts triage, records the awareness timestamp, affected version range, exploitation signal, customer impact, and evidence locations. If reporting is required, prepare the 24-hour early-warning draft without waiting for full root cause analysis.
By 72 Hours
Expand the early warning into a full notification. Include confirmed impact, affected product versions, corrective measure status, and links to SBOM, scanner alert, ticket, release, and customer-notice evidence. Unknown facts remain marked unknown.
Final Report Timing
For an actively exploited vulnerability, prepare the final report no later than 14 days after a corrective measure is available. For a severe security incident, prepare the final report within one month.
Gap Register
- 24-hour early-warning owner is not yet documented.
- Final-report owner and template are not yet documented.
- Product support-period statement is not yet public.
Notification Drafts — Northwind Ledger Cloud
Based on answers provided by Northwind Ledger on 2026-06-20. Self-attested by the manufacturer; not audited, certified, a conformity assessment, or legal advice.
24-Hour Early Warning
Product: Northwind Ledger Cloud. Awareness timestamp: {timestamp}. Issue type: {actively exploited vulnerability or severe security incident}. Affected versions: {known range or unknown}. First corrective action: {action}. Evidence attached: Jira Security ticket, scanner alert, SBOM reference, release reference if available. This draft is not legal advice.
72-Hour Full Notification
Update the early warning with confirmed impact, exploitation basis, customer exposure, mitigation status, and remaining unknown facts. Keep unknown facts as unknown rather than inferred.
Final Report
For actively exploited vulnerabilities, use this no later than 14 days after a corrective measure is available. For severe incidents, use it within one month. Attach release notes, advisory text, customer communications, and closure evidence.
Evidence Register — Northwind Ledger Cloud
Based on answers provided by Northwind Ledger on 2026-06-20. Self-attested by the manufacturer; not audited, certified, a conformity assessment, or legal advice.
| Evidence | Source | Owner | Needed When | Current Gap |
|---|---|---|---|---|
| SBOM | CycloneDX artifact from GitHub Actions | Product security | 24h and 72h updates | Worker images not yet covered |
| Vulnerability alert | Snyk, npm audit, Dependabot | Product security | Initial triage | None stated |
| Affected versions | Git tags and deploy IDs | Engineering manager | 24h draft | None stated |
| Customer notice | Customer notification mailbox | Product/security | 72h and final report | Template needs rehearsal |
| Corrective measure | Pull request, release notes | Engineering | 72h and final report | None stated |
| Final-report packet | Jira Security ticket | Product security | 14 days or one month | Final-report owner not yet assigned |
This register is not legal advice and does not certify readiness.
Vulnerability Intake Policy — Northwind Ledger Cloud
Based on answers provided by Northwind Ledger on 2026-06-20. Self-attested by the manufacturer; not audited, certified, a conformity assessment, or legal advice.
Intake Sources
Vulnerabilities may arrive through the security mailbox, GitHub private advisories, Snyk, npm audit, vendor advisories, or customer support escalations. The product security lead opens or links a Jira Security ticket for each candidate issue.
Triage
Severity uses CVSS, known exploitation signals, customer impact, and whether the affected component is internet-facing. Version impact is recorded using Git tags, deploy IDs, and release notes.
Reporting Handoff
If an issue may be actively exploited or a severe security incident, preserve the awareness timestamp and notify the 72-hour notification owner. A 24-hour early-warning owner is not yet assigned and remains in the gap register.
This policy is not legal advice and does not certify CRA compliance.
Tabletop Drill — Northwind Ledger Cloud
Based on answers provided by Northwind Ledger on 2026-06-20. Self-attested by the manufacturer; not audited, certified, a conformity assessment, or legal advice.
Scenario 1: Actively Exploited Package
Snyk alerts on an actively exploited npm package used in the API service. Run the first 24 hours, the 72-hour update, and the final-report path. The drill passes only if the team can attach SBOM evidence, affected versions, Jira ticket, corrective measure status, and customer-notice draft without guessing.
Scenario 2: Severe Security Incident
A customer reports unauthorized access to records exposed by a production configuration error. Run the one-month final-report path and record what evidence is missing.
After-Action Questions
- Who owned the 24-hour early warning?
- Which facts were unknown at 72 hours?
- What evidence was available immediately?
- What would block the 14-day or one-month final report?
Security reports go to security@northwind.example. This drill is not legal advice.
Ready to build yours?
Flat $3,999, one time. The output is grounded only in facts you attest before checkout.
Build my reporting pack →