Definition + setup guide

Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure (CVD) is how the security industry agrees to handle newly discovered flaws: researcher reports privately, vendor fixes, public learns once a remediation is available. This page covers what it is, why it exists, and the seven steps to operate one for an EU manufacturer under the Cyber Resilience Act.

The three disclosure models

Full disclosure. The researcher publishes findings immediately, without coordinating with the vendor. Maximises public information, maximises exposure window before a patch exists.

Non-disclosure. The vulnerability is kept secret, often for offensive use. Common in nation-state and grey-market contexts. Externally indistinguishable from a vendor that has no security culture.

Coordinated disclosure. The default professional norm. The researcher reports privately to the vendor, an agreed timeline is set, the remediation ships, and the advisory publishes alongside or shortly after. ISO/IEC 29147 codifies the practice.

Seven steps to operate a CVD process

The minimum operational set for an EU manufacturer under Article 13 of the Cyber Resilience Act, with Article 14 reporting at the end where applicable.

  1. 1

    Publish a CVD policy

    A short public document that describes scope, authorised testing methods, the reporting channel, your acknowledgment timeline, your remediation target, and a safe-harbor statement. Reference ISO/IEC 29147 for the framing. Under CRA Article 13(8) this is a regulatory obligation for EU manufacturers of products with digital elements.

  2. 2

    Set up a single point of contact

    A monitored intake channel under your brand. A whitelabel email and a structured submission form on a hosted policy page are the minimum. Add the reporting address to your security.txt file at /.well-known/security.txt.

  3. 3

    Acknowledge within 48 hours

    ISO/IEC 29147 sets a 48h acknowledgment expectation. Send the acknowledgment automatically and assign a triage owner the same day.

  4. 4

    Triage and assess severity

    Confirm the vulnerability, determine severity (CVSS 3.1 or 4.0), check for duplicates, and decide on a remediation target date. Communicate the timeline to the reporter.

  5. 5

    Coordinate disclosure

    Agree an embargo date with the reporter. The default norm is publication around the remediation release. Active exploitation may justify earlier disclosure; pending CSIRT coordination may justify later. Document the rationale either way.

  6. 6

    Publish an advisory

    Issue a security advisory describing the vulnerability, affected versions, and mitigation. CSAF 2.0 is the machine-readable industry standard. Credit the reporter unless they request anonymity.

  7. 7

    Report to regulators where required

    Under CRA Article 14, actively exploited vulnerabilities and significant incidents trigger a 24h early warning to ENISA and the relevant national CSIRT, followed by a 72h detailed report and a final report. Track these deadlines explicitly.

Frequently asked

What is coordinated vulnerability disclosure?
Coordinated vulnerability disclosure (CVD) is the process by which a security researcher reports a flaw to the affected vendor privately, the vendor remediates the flaw, and the parties publish information about the vulnerability and the fix on a coordinated timeline. It contrasts with full disclosure (publish immediately) and non-disclosure (keep secret). CVD is the international norm under ISO/IEC 29147 and the basis for the EU CRA's Article 13 obligation.
What is the difference between CVD and a VDP?
CVD is the process. A VDP (Vulnerability Disclosure Programme or Platform) is the operational implementation. You publish a CVD policy, you operate a VDP. In EU regulatory and standards documents (ISO/IEC 29147, ENISA guidance) the term CVD is more common; in US security industry parlance VDP is more common. The substance is the same.
Is CVD mandatory under the EU CRA?
Yes for manufacturers of products with digital elements. Article 13(8) of Regulation (EU) 2024/2847 requires every such manufacturer to have a policy on coordinated vulnerability disclosure. The policy must be publicly accessible. Article 14 adds reporting obligations for actively exploited vulnerabilities and significant incidents.
How long does the coordinated disclosure period last?
Common defaults are 90 days from report to public disclosure, aligned with the timeline used by Project Zero and CERT/CC. The exact period is negotiable between researcher and vendor. Active exploitation typically shortens it; complex remediation may justify extension. Document the agreed timeline in writing.
What if the researcher does not agree to coordination?
Acknowledge the report regardless. Make the vendor's position clear in the published policy: the vendor will treat good-faith research with safe-harbor protections, but cannot prevent a researcher from publishing on their own timeline. The reputational and legal cost of suing security researchers is almost always higher than the cost of accelerated remediation.
What is a CSAF advisory?
CSAF 2.0 (Common Security Advisory Framework) is a machine-readable JSON format for security advisories. It allows downstream consumers (SBOM tooling, vulnerability management platforms, asset inventories) to ingest vendor advisories automatically. The CRA expects manufacturers to publish advisories when remediations ship; CSAF 2.0 is the format the rest of the industry expects.

Stand up a CVD process in under an hour

CVD Portal handles all seven steps: published policy, whitelabel intake, acknowledgment SLA, triage, coordinated timeline, CSAF advisory, and Article 14 reporting cascade.

Start your free portalGenerate a policy