Coordinated Vulnerability Disclosure (CVD) policy

Annex I Part II §5 of Regulation (EU) 2024/2847 requires manufacturers to:

"put in place and enforce a policy on coordinated vulnerability disclosure".

Article 13(8) further elaborates that manufacturers must have:

"appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Part II, point (5), of Annex I to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources".

A compliant CVD policy should specify:

1. How to report — a contact address or mechanism for security researchers and users to report vulnerabilities (can be the single point of contact required by Art. 13(17))
2. Response process — how the manufacturer will acknowledge, triage, and investigate reported vulnerabilities
3. Remediation timeline — reasonable timelines for developing and releasing a fix
4. Disclosure conditions — when and how information about the vulnerability and fix will be published (see Annex I Part II §4)
5. Anonymous reporting option — whether anonymous reports are accepted

Manufacturers may include bug bounty programmes in their CVD policy to incentivise responsible disclosure by offering recognition or financial compensation to researchers (recital 76).

Manufacturers should consider publishing their security policies in machine-readable format to facilitate automated processing (recital 76 guidance).

The CVD reporting channel should be tied to the manufacturer's single point of contact required under Art. 13(17) (see OBL-ART13-15).