← CRA Glossary
CVD & Vulnerability Management

Coordinated Vulnerability Disclosure (CVD)

CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.

CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.

CVD & Vulnerability Management
Free CVD portal →

What Is Coordinated Vulnerability Disclosure?

Coordinated Vulnerability Disclosure (CVD) is a structured process in which a security researcher who discovers a vulnerability in a product privately notifies the affected manufacturer before publishing any details publicly. The manufacturer is given a reasonable timeframe — typically 90 days — to develop, test, and release a fix. Only after a patch is available (or the deadline passes) does the researcher disclose the vulnerability publicly. CVD balances two competing interests: the public's right to know about security risks and the vendor's need for time to fix them. It differs from full disclosure, where details are published immediately, and bug bounty programmes, which add financial incentives.

CRA reference:Article 13(6)

Why CVD Is Required Under the CRA

Article 13(6) of the EU Cyber Resilience Act explicitly requires manufacturers to establish and maintain a coordinated vulnerability disclosure policy. Recital 63 reinforces that manufacturers must enable researchers and users to report vulnerabilities through accessible channels. The CRA treats CVD not as a best practice but as a mandatory legal obligation for all manufacturers of products with digital elements placed on the EU market. Failure to maintain a functioning CVD process constitutes non-compliance and can result in market surveillance authority (MSA) enforcement action, including product bans and fines. ENISA published a CVD Good Practice Guide that regulators treat as a reference standard.

CRA reference:Article 13(6), Recital 63

How Manufacturers Implement CVD

A compliant CVD implementation requires four components:

  1. A disclosure channel — a published email address or web form where researchers can submit reports, typically secured with a PGP key.
  2. A CVD policy — a written document (often published at /.well-known/security.txt) stating scope, safe harbour terms, and expected response times.
  3. An internal triage process — a defined workflow for validating, prioritising, and remediating reported vulnerabilities, usually owned by a PSIRT.
  4. A public advisory process — a mechanism for publishing security advisories (ideally in CSAF format) once a fix is released.

CVD Portal automates all four steps for manufacturers subject to the CRA.

CRA reference:Article 13(6), Article 14

Common Mistakes in CVD Implementation

Manufacturers frequently make the following errors:

  • No published contact — researchers cannot find where to send reports, so vulnerabilities go unreported or are disclosed on social media instead.
  • No safe harbour clause — without explicit legal protection for good-faith researchers, potential reporters fear legal action and stay silent.
  • Missing response SLAs — a policy without defined timelines (e.g. 5-day acknowledgement, 90-day resolution target) is unenforceable and untrustworthy.
  • No CVSS scoring or severity triage — all reports treated equally creates backlog and missed critical issues.
  • Conflating CVD with bug bounty — CVD is a compliance requirement; a bug bounty programme is optional and complementary.

CVD Portal makes Coordinated Vulnerability Disclosure (CVD) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is CVD mandatory under the EU Cyber Resilience Act?+

Yes. Article 13(6) of the CRA requires every manufacturer of a product with digital elements to establish and maintain a coordinated vulnerability disclosure policy. This is a legal obligation, not a recommendation. Manufacturers without a functioning CVD process are non-compliant and subject to enforcement by national market surveillance authorities.

What is the difference between CVD and a bug bounty programme?+

CVD is the process and policy framework for receiving and handling vulnerability reports — it is required by the CRA. A bug bounty programme is an optional financial incentive scheme that rewards researchers for valid findings. You can run a bug bounty programme on top of a CVD process, but a bug bounty alone is not sufficient for CRA compliance without the underlying policy and disclosure workflow.

How long must a manufacturer wait before publicly disclosing a reported vulnerability?+

The CRA does not specify a fixed embargo period, but the widely accepted industry standard is 90 days from the vendor's receipt of a report. ENISA's CVD Good Practice Guide endorses this timeline. Manufacturers should state their expected remediation window in their published CVD policy so researchers know what to expect.

Related terms

CVD PolicyA CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.security.txtsecurity.txt is a standardised plain-text file placed at `/.well-known/security.txt` on a web domain that tells security researchers how to report vulnerabilities. Defined in RFC 9116, it is the recommended machine-readable disclosure of a manufacturer's CVD contact and policy.Product Security Incident Response Team (PSIRT)A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.Responsible DisclosureResponsible disclosure is the practice of privately notifying a vendor of a security vulnerability before making it public, giving the vendor time to develop and release a fix. It is an older term that is largely synonymous with coordinated vulnerability disclosure (CVD), which is now the preferred terminology in EU regulatory frameworks.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Coordinated Vulnerability Disclosure (CVD) fits into your complete CRA compliance programme.

View checklists →