CVD Coordinator

A CVD Coordinator acts as a neutral intermediary in the vulnerability disclosure process, facilitating communication between the reporting researcher and one or more affected manufacturers. Coordinators are typically called upon when: the researcher cannot identify or reach the affected manufacturer; multiple manufacturers are affected by the same vulnerability and coordinated simultaneous disclosure is needed; the researcher and manufacturer cannot agree on timelines or scope; or the vulnerability is particularly complex or sensitive (e.g., affecting critical infrastructure). Major CVD coordinators include CERT/CC (Carnegie Mellon), NCSC-NL, BSI (Germany), CISA (US), and national CSIRTs across the EU. ENISA has a coordination function specifically for the CRA's European vulnerability database.

When engaged, a CVD coordinator typically:

• Validates the report: Confirms the vulnerability is genuine and reproducible before engaging vendors, reducing noise and protecting researcher credibility.
• Identifies affected parties: Determines which manufacturers, vendors, or components are affected — particularly important for supply chain vulnerabilities.
• Manages communication: Acts as a single point of contact for the researcher, relaying information to multiple vendors and managing separate bilateral communications.
• Sets and manages the timeline: Establishes a coordinated disclosure date that gives all affected parties adequate time to develop fixes simultaneously.
• Mediates disputes: Resolves disagreements about scope, severity, or timeline between researchers and vendors.
• Issues coordinated advisories: Publishes a master advisory that references all affected products' individual advisories, enabling comprehensive user awareness.

The CRA assigns ENISA a specific CVD coordination function at the EU level. ENISA operates the European Vulnerability Database (EUVDB), which aggregates vulnerability information from national CSIRTs, manufacturers, and other sources. ENISA can facilitate coordination between researchers and manufacturers when national-level coordination is insufficient — particularly for vulnerabilities with cross-border impact. ENISA also issues guidance on CVD best practices and supports national CSIRTs in developing their coordination capabilities. For manufacturers operating across multiple EU member states, understanding ENISA's coordination mechanisms is important: a vulnerability reported through any EU national CSIRT may be escalated to ENISA-level coordination if its impact warrants it.

Manufacturers should consider proactively engaging a CVD coordinator in the following situations:

• A reported vulnerability affects components or libraries also used by other manufacturers.
• The researcher is unresponsive or unreachable after initial contact.
• The vulnerability affects safety-critical or critical infrastructure systems where simultaneous multi-vendor disclosure is essential.
• The researcher and manufacturer are in dispute about the disclosure timeline or scope.
• The vulnerability has national security implications that require government coordination.

Manufacturers should pre-establish relationships with relevant national CSIRTs before incidents occur. Knowing the coordination process in advance significantly reduces response time when a complex multi-party disclosure scenario arises.