Skip to main content

Establishing a Coordinated Vulnerability Disclosure (CVD) Policy for Your Software

Under the Cyber Resilience Act (CRA), just waiting for vulnerability reports isn't enough. You need a proactive and structured approach. Annex I, Part II, point (5), requires manufacturers to "put in place and enforce a policy on coordinated vulnerability disclosure". Recital 76 further emphasizes this, suggesting it facilitates reporting from individuals or entities.

What is a CVD Policy?

A Coordinated Vulnerability Disclosure policy is your public statement and internal procedure for how security researchers (or any user) should report vulnerabilities they find in your app, game, or software, and how you'll handle those reports. The "coordinated" part means you aim to fix the vulnerability before it's widely publicized, protecting your users.

Key Elements for Your Software's CVD Policy

For your app or game, your CVD policy should generally cover:

  • Scope: What products or versions are covered by the policy?
  • How to Report: Clear instructions on where and how to send vulnerability reports (e.g., a dedicated email address, a form on your website). This links to providing a contact address as per Annex I, Part II, point (6).
  • What to Include in a Report: Guidance on the information researchers should provide to help you understand and reproduce the vulnerability.
  • Your Commitment: What reporters can expect from you (e.g., acknowledgement of receipt, timeframe for initial assessment, updates on progress, recognition).
  • Safe Harbor (Optional but Recommended): A statement that you won't take legal action against researchers who report vulnerabilities in good faith and follow your policy. Recital 75 encourages Member States to address challenges faced by researchers, including potential liability.
  • Disclosure Plan: How and when you plan to publicly disclose the vulnerability once it's fixed.

Recital 76 also mentions the possibility of bug bounty programs as part of CVD policies to incentivize reporting.

Key Takeway

The CRA mandates a Coordinated Vulnerability Disclosure policy. For your software, this means having a clear, publicly accessible process for receiving, assessing, and addressing vulnerability reports responsibly and collaboratively with finders.