← CRA Glossary
CVD & Vulnerability Management

CVD Policy

A CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.

A CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.

CVD & Vulnerability Management
Free CVD portal →

What Is a CVD Policy?

A CVD (Coordinated Vulnerability Disclosure) policy is a written document that tells security researchers and the general public how to report security vulnerabilities in a manufacturer's products. At minimum it must state: where to send reports (contact channel and encryption key), what information to include in a report, how quickly the manufacturer will acknowledge receipt, how long the manufacturer expects to take to remediate the issue, and what researchers are permitted to do during testing (scope and safe harbour terms). The policy is typically published at /.well-known/security.txt and on the manufacturer's product security webpage.

CRA reference:Article 13(6)

CRA Requirements for CVD Policies

Article 13(6) of the CRA requires manufacturers to adopt and publish a coordinated vulnerability disclosure policy. The policy must be accessible and must enable researchers to report vulnerabilities securely. Article 14 adds that manufacturers must notify ENISA and relevant CSIRTs of actively exploited vulnerabilities within 24 hours of becoming aware — the CVD policy is the intake mechanism that starts this notification clock. A policy that lacks a clear contact method, defined response timelines, or explicit safe harbour language will not satisfy the CRA's requirements and may be flagged during conformity assessment.

CRA reference:Article 13(6), Article 14

Essential Elements of a CRA-Compliant CVD Policy

A CRA-compliant CVD policy must include:

  1. Contact details — a dedicated security email address, optionally with a PGP public key for encrypted submissions.
  2. Scope — which products and versions are covered.
  3. Safe harbour — an explicit statement that good-faith researchers will not face legal action under EU law or the manufacturer's terms of service.
  4. Response SLAs — acknowledgement within 5 business days; status updates at regular intervals; remediation target (e.g. 90 days for critical issues).
  5. Disclosure timeline — when and how the manufacturer will publish security advisories after a fix is released.
  6. Out-of-scope activities — actions researchers must not take (e.g. destructive testing, accessing customer data).
CRA reference:Article 13(6), Annex I Part II

Common Policy Mistakes

The most frequent CVD policy failures observed in practice:

  • Vague scope — policies that say "our products" without listing specific product lines leave researchers uncertain and create legal ambiguity.
  • No safe harbour — without explicit legal protection, researchers default to public disclosure rather than risk legal action.
  • Unrealistic SLAs — committing to 24-hour fixes signals the policy was not written by an engineering team and will not be honoured.
  • Policy buried in legal terms — a policy embedded in a 50-page terms-of-service document fails the CRA's accessibility requirement.
  • No PGP key — researchers reporting authentication or cryptographic vulnerabilities need an encrypted channel; a plain email address is insufficient.

CVD Portal makes CVD Policy compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Where should a CVD policy be published?+

The de facto standard is `/.well-known/security.txt` on the manufacturer's primary domain, following RFC 9116. This file should link to a full human-readable policy page. Additionally, the policy should be linked from product documentation, support pages, and any developer portals. ENISA recommends making the policy discoverable without requiring a login.

Does a CVD policy need to be translated into all EU languages?+

The CRA does not mandate specific languages for the CVD policy itself, but market surveillance authorities may expect the policy to be accessible to users in the language of the market where the product is sold. Publishing an English-language policy is common practice; adding the primary EU market languages reduces friction for researchers and demonstrates good faith to regulators.

Can a small manufacturer use a template CVD policy?+

Yes, using a template is a practical starting point, but the policy must be customised with accurate contact details, realistic SLAs that match internal capacity, and a product scope that reflects the manufacturer's actual portfolio. A generic template that has not been adapted to the specific organisation will not demonstrate the genuine commitment regulators expect.

Related terms

Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.security.txtsecurity.txt is a standardised plain-text file placed at `/.well-known/security.txt` on a web domain that tells security researchers how to report vulnerabilities. Defined in RFC 9116, it is the recommended machine-readable disclosure of a manufacturer's CVD contact and policy.Product Security Incident Response Team (PSIRT)A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.Responsible DisclosureResponsible disclosure is the practice of privately notifying a vendor of a security vulnerability before making it public, giving the vendor time to develop and release a fix. It is an older term that is largely synonymous with coordinated vulnerability disclosure (CVD), which is now the preferred terminology in EU regulatory frameworks.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how CVD Policy fits into your complete CRA compliance programme.

View checklists →