Can a product contain voluntarily non-fixed vulnerabilities for educational purposes?

Some organizations run various pieces of software and hardware with non-fixed vulnerabilities for educational purposes. What are the relevant parts of the CRA that allow for that practice?