Skip to main content

Setting Up a CVD Policy: Template for Software Projects

The Cyber Resilience Act (CRA) requires you to have a Coordinated Vulnerability Disclosure (CVD) policy (Annex I, Part II, point 5). This policy tells security researchers how to report vulnerabilities to you responsibly. Here is a basic, adaptable template to get you started.

Disclaimer: This is a general template. You should adapt it to your specific software product and consider seeking legal advice.

[Your Company/Product Name] Coordinated Vulnerability Disclosure (CVD) Policy

Last Updated: [Date]

1. Introduction At [Your Company Name], we are committed to the security of our users and our software, [Product Name]. We value the work of the security research community and welcome responsible disclosure of any potential vulnerabilities. This policy outlines how to report vulnerabilities to us and what you can expect in return.

2. Scope This policy applies to security vulnerabilities found in the following products and services:

  • [List your software, e.g., "PixelPioneer App for iOS, version 2.0 and later"]
  • [List associated websites/APIs, e.g., "api.pixelpioneer.example.com"]

The following are out of scope: [e.g., Denial of service attacks, social engineering, physical security].

3. How to Report a Vulnerability Please send all reports to our dedicated security contact address: security@[yourcompany].example.com.

To help us investigate, please include the following in your report:

  • A description of the vulnerability and its potential impact.
  • The product, version, and platform affected.
  • Technical details and steps to reproduce the vulnerability.

4. Our Commitment (The Disclosure Process)

  • We will acknowledge receipt of your report within [e.g., 2 business days].
  • We will provide an initial assessment of the vulnerability's validity and severity within [e.g., 5 business days].
  • We will maintain an open dialogue with you throughout the remediation process.
  • We will notify you when the vulnerability has been fixed.
  • We will publicly recognize your contribution, with your permission.

5. Safe Harbor We will not take legal action against you for your security research activities as long as you act in good faith and comply with this policy. We consider research conducted under this policy to be authorized.

Key Takeway

Use this template as a starting point. A good CVD policy should clearly define its scope, provide a simple reporting method, set expectations for your response, and offer safe harbor to encourage responsible disclosure from the security community.