Protecting the confidentiality of zero-day vulnerabilities and sensitive system architectures is a paramount concern under the Cyber Resilience Act (CRA). To facilitate secure communication with the most security-conscious researchers, the CVD Portal fully supports the reception and processing of encrypted vulnerability reports. This capability ensures that critical exploit details remain secure even if intercepted during transmission.
The portal supports PGP (Pretty Good Privacy) for encrypted researcher communications. You can upload and publish your organization's PGP public key via Settings → PGP / Security, making it easily accessible to researchers — including through your automated security.txt file and public disclosure policy page.
When a researcher encrypts their report with your public key before submitting, the encrypted payload is stored and displayed in the submission detail view. Decryption is performed locally by your team using your private key — private keys are never uploaded to or stored by the platform. This model follows security best practice: the server holds only your public key, and your private key stays in your control at all times.
By supporting PGP-encrypted submissions, your organization signals a strong commitment to operational security and builds trust with researchers who require confidentiality when disclosing high-impact vulnerabilities.