Certified CRA Vulnerability Handling and Product Security Lifecycle Professional (CCRA-VHPSL) Certification Program by Tonex
Certified CRA Vulnerability Handling and Product Security Lifecycle Professional (CCRA-VHPSL) certification focuses on the vulnerability handling, coordinated disclosure, incident reporting, patching, product monitoring, and lifecycle security obligations under the CRA.
This program is especially important because CRA reporting obligations for actively exploited vulnerabilities and severe incidents begin September 11, 2026.
Learning Objectives
Participants will learn how to:
- Build a CRA-aligned vulnerability handling process.
- Establish product security incident response capabilities.
- Manage vulnerability intake, triage, severity scoring, and remediation.
- Create coordinated vulnerability disclosure procedures.
- Prepare for CRA vulnerability and incident reporting obligations.
- Maintain SBOM and software component monitoring processes.
- Manage security updates and end-of-support communication.
- Connect vulnerability handling to product risk assessment.
Target Audience
- PSIRT teams
- Product security managers
- Security operations teams
- Compliance teams
- Software maintenance teams
- Product owners
- Legal and regulatory professionals
- Customer support escalation teams
Prerequisites
Recommended:
- Basic cybersecurity knowledge
- Familiarity with software vulnerabilities, CVEs, patching, or incident response
Program Modules
Module 1: CRA Vulnerability Handling Requirements
- Vulnerability handling under CRA
- Manufacturer responsibilities
- Product monitoring
- Lifecycle obligations
Module 2: Product Security Incident Response Team — PSIRT
- PSIRT operating model
- Vulnerability intake
- Triage
- Severity classification
- Remediation coordination
- Disclosure workflows
Module 3: Vulnerability Reporting Readiness
- Actively exploited vulnerabilities
- Severe cybersecurity incidents
- Reporting triggers
- Internal escalation workflow
- Evidence and timelines
- Coordination with legal and executive teams
Module 4: SBOM and Component Monitoring
- SBOM role in CRA readiness
- Open-source software risks
- Component vulnerability monitoring
- Supplier vulnerability coordination
- Patch prioritization
Module 5: Security Update Lifecycle
- Patch development
- Secure update delivery
- Customer notification
- Update validation
- End-of-support and end-of-life planning
Module 6: Practical Exercise
Participants build a vulnerability handling workflow and reporting readiness checklist for a sample product.
Exam Domains and Weights
| Domain | Weight |
| CRA Vulnerability Handling Duties | 25% |
| PSIRT Process Design | 20% |
| Reporting Readiness | 20% |
| SBOM and Component Monitoring | 15% |
| Security Updates and Lifecycle Management | 15% |
| Documentation and Evidence | 5% |
Exam Format
- 40 multiple-choice questions
- 90 minutes
- Passing score: 70%
Credential Validity
Valid for 3 years.