Questionnaire Guide
Overview
Section titled “Overview”Many CRA requirements cannot be assessed by code scanning alone. The questionnaire engine collects evidence for Doc and Interview evidence types — process documentation, policy descriptions, and organizational practices.
Which Requirements Use Questionnaires
Section titled “Which Requirements Use Questionnaires”Of the 401 requirements in the default catalog:
| Evidence Type | Count | Assessment Method |
|---|---|---|
| Doc | 187 | Document submission — questionnaire or file upload |
| Test | 8 | Active testing results — test report upload |
| Semi | 150 | Automated + review — scanner + LLM or manual review |
| Auto | 56 | Fully automated — scanner handles entirely |
Doc and Test requirements are the primary targets for the questionnaire engine.
Workflow
Section titled “Workflow”1. Start a session for a product POST /products/{id}/questionnaire
2. For each Doc/Test requirement, submit an answer POST /questionnaire/{session_id}/answer { "requirement_id": "VH-REG-01-R1", "answer": "ENISA notification process documented...", "attachments": [{ "name": "process.pdf", "storage_key": "s3://..." }] }
3. Each answer automatically creates an evidence record
4. Complete the session POST /questionnaire/{session_id}/completeQuestion Categories
Section titled “Question Categories”Questions are organized by the catalog’s feature categories. Examples:
Vulnerability Handling (VH-*)
Section titled “Vulnerability Handling (VH-*)”- “What is your ENISA notification process?”
- “Do you have a coordinated disclosure policy?”
- “What are your vulnerability remediation SLAs?”
Update Mechanism (UPD-*)
Section titled “Update Mechanism (UPD-*)”- “How long is your security update support period?”
- “How are users notified of security updates?”
- “Do you support offline/manual updates?”
Supply Chain (SUPPLY-*)
Section titled “Supply Chain (SUPPLY-*)”- “What criteria do you use when selecting open source components?”
- “How do you respond to vulnerabilities in dependencies?”
- “Do you have contracts with software component vendors?”
Third-Party Services (SVC-*)
Section titled “Third-Party Services (SVC-*)”- “Does your product depend on third-party APIs or services?”
- “What data do you send to external services?”
- “What happens if a third-party service is unavailable?”
Answer Format
Section titled “Answer Format”Answers should be specific and documentary — suitable for inclusion in Module A technical documentation:
Good: “Coordinated disclosure policy published at https://example.com/.well-known/security.txt. Policy defines 90-day disclosure timeline, offers PGP-encrypted reporting channel at security@example.com, and credits reporters with consent. Last reviewed 2026-03-01.”
Bad: “Yes, we have a disclosure policy.”
File Attachments
Section titled “File Attachments”Answers can include file attachments (stored in S3):
{ "requirement_id": "VH-DISC-01-R1", "answer": "See attached disclosure policy document.", "attachments": [ { "name": "disclosure-policy-v2.pdf", "storage_key": "s3://evidence/products/uuid/disclosure-policy-v2.pdf" } ]}Evidence Linkage
Section titled “Evidence Linkage”Each questionnaire answer automatically creates an EvidenceRecord with:
source: questionnaireevidence_type: doc(ortest)content_hash: SHA-256 of the answer text- Linked to the questionnaire session
This evidence appears in the Evidence Vault and counts toward the gap analysis.