← CRA Glossary
CVD & Vulnerability Management

Responsible Disclosure

Responsible disclosure is the practice of privately notifying a vendor of a security vulnerability before making it public, giving the vendor time to develop and release a fix. It is an older term that is largely synonymous with coordinated vulnerability disclosure (CVD), which is now the preferred terminology in EU regulatory frameworks.

Responsible disclosure is the practice of privately notifying a vendor of a security vulnerability before making it public, giving the vendor time to develop and release a fix. It is an older term that is largely synonymous with coordinated vulnerability disclosure (CVD), which is now the preferred terminology in EU regulatory frameworks.

CVD & Vulnerability Management
Free CVD portal →

What Is Responsible Disclosure?

Responsible disclosure is the informal name for the practice in which a security researcher who discovers a vulnerability privately notifies the affected vendor before publishing any details publicly. The researcher allows the vendor a reasonable period — historically 90 days, established by Google Project Zero — to develop and release a fix. After the fix is released or the deadline passes, the researcher may publish their findings. Responsible disclosure emerged in the 1990s as a compromise between 'full disclosure' (immediate public release) and 'non-disclosure' (keeping findings secret indefinitely). It is now largely superseded in formal regulatory language by coordinated vulnerability disclosure (CVD), which adds more structure and process.

CRA reference:Article 13(6)

Responsible Disclosure vs CVD Under the CRA

The EU Cyber Resilience Act uses the term coordinated vulnerability disclosure (CVD), not responsible disclosure. The distinction is important:

  • Responsible disclosure is researcher-driven — the researcher sets the timeline and controls disclosure.
  • CVD is process-driven — it is a structured, bilateral process with documented policies, SLAs, and mutual obligations on both the researcher and the manufacturer.

The CRA's Article 13(6) obligation falls on the manufacturer: to establish and maintain a CVD policy that creates a structured, trustworthy process. Responsible disclosure depends on researcher goodwill; CVD creates a replicable, auditable compliance artefact.

CRA reference:Article 13(6), Recital 63

Safe Harbour for Researchers

A critical element of both responsible disclosure and CVD is safe harbour: an explicit statement from the manufacturer that good-faith security researchers who follow the published CVD policy will not face legal action. Without safe harbour, researchers who test products for vulnerabilities risk prosecution under computer crime laws or civil litigation under intellectual property law. The CRA's Recital 63 and ENISA's CVD Good Practice Guide both emphasise that manufacturers should explicitly grant safe harbour in their CVD policies. A safe harbour clause should specify:

  • What testing activities are permitted.
  • The notification process that grants safe harbour protection.
  • The scope of products covered.
  • Exclusions (e.g. customer data access, destructive testing).
CRA reference:Recital 63

When Responsible Disclosure Breaks Down

Responsible disclosure depends on good faith from both parties. Failures occur when:

  • Vendors ignore reports — researchers who receive no response after repeated attempts publish anyway; this is not a disclosure failure on the researcher's part.
  • Vendors threaten legal action — researchers who face cease-and-desist letters typically respond with immediate full public disclosure.
  • No published contact channel — researchers cannot disclose responsibly to a vendor they cannot reach.
  • Excessive delay — vendors who repeatedly extend remediation timelines without justification lose the researcher's cooperation.

The CRA's mandatory CVD policy requirement addresses these failures by creating a formal legal obligation on manufacturers to maintain an accessible, trustworthy disclosure process.

CVD Portal makes Responsible Disclosure compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is 'responsible disclosure' the same as 'coordinated vulnerability disclosure'?+

In practice the terms are often used interchangeably, but they carry different implications. Responsible disclosure is an informal norm driven by researcher ethics. Coordinated vulnerability disclosure (CVD) is a structured, bilateral process with documented policies, SLAs, and regulatory backing under the CRA. The CRA uses the term CVD; manufacturers building compliance programmes should use CVD terminology in their policies and documentation.

Can a researcher legally disclose a vulnerability publicly if a manufacturer ignores their report?+

If a manufacturer has no CVD policy or published contact and ignores a report, a researcher is not obligated to maintain silence indefinitely. Industry norms (and ENISA guidance) support public disclosure after 90 days of no response. The CRA does not create obligations on researchers; it creates obligations on manufacturers to maintain reachable, responsive disclosure channels. A manufacturer who ignores reports has failed its own CRA obligation.

Does our CVD policy need to include safe harbour language?+

Yes. ENISA's CVD Good Practice Guide explicitly recommends safe harbour clauses in CVD policies, and the CRA's Recital 63 notes the importance of enabling good-faith security research. Without safe harbour, researchers face legal uncertainty and will decline to report — which means vulnerabilities go unpatched. Safe harbour should be drafted with legal counsel familiar with EU computer crime law and the specific jurisdiction of your primary markets.

Related terms

Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.CVD PolicyA CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.security.txtsecurity.txt is a standardised plain-text file placed at `/.well-known/security.txt` on a web domain that tells security researchers how to report vulnerabilities. Defined in RFC 9116, it is the recommended machine-readable disclosure of a manufacturer's CVD contact and policy.Product Security Incident Response Team (PSIRT)A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day Obligations

Browse the full CRA Compliance Checklist

See how Responsible Disclosure fits into your complete CRA compliance programme.

View checklists →