Skip to main content

Annex I, Part II, Req 5: Coordinated Software Vulnerability Disclosure Policy

The EU Cyber Resilience Act (CRA) wants to ensure there's a clear, responsible way for security vulnerabilities in your software to be reported and handled. That's why Annex I, Part II, Point 5 mandates that manufacturers "put in place and enforce a policy on coordinated vulnerability disclosure (CVD)".

What is a Coordinated Vulnerability Disclosure Policy?

A CVD policy (sometimes called a responsible disclosure policy) is a set of guidelines that outlines:

  1. How security researchers and users should report vulnerabilities they find in your software directly to you.
  2. Your commitment to working with the reporter to understand, validate, and remediate the vulnerability.
  3. A process and timeline for you to fix the vulnerability.
  4. An understanding about when and how the vulnerability will be publicly disclosed (ideally, after a fix is available).

The goal is to encourage good-faith reporting and allow you to fix issues before they are widely exploited.

Key Elements of Your CVD Policy

  • Scope: What products/versions does the policy cover?
  • Reporting Channels: How can someone contact you (e.g., dedicated security email, web form)? Make this easy to find (Annex II, Item 2).
  • Information to Include in a Report: What details do you need from the reporter?
  • Your Commitments: Acknowledge receipt, provide a timeline for assessment/remediation, commit not to take legal action against good-faith research within the policy's scope.
  • Disclosure Plans: How and when will you publicly disclose the vulnerability once fixed?
  • Consider if you'll offer "bug bounties" or recognition (Recital 76).

Enforce the Policy

"Enforce" means you actually follow the procedures you've laid out in your policy.

Why is it Important?

A clear CVD policy:

  • Encourages responsible reporting.
  • Helps you learn about vulnerabilities privately, giving you time to fix them.
  • Builds trust with the security community and your users.

Key Takeway

Under Annex I, Part II, Point 5 of the CRA, you must create and implement a Coordinated Vulnerability Disclosure policy. This policy tells people how to report vulnerabilities in your software to you responsibly and outlines your process for addressing them.