Vulnerability Disclosure Policy (VDP)

A Vulnerability Disclosure Policy (VDP) is a formal, published document that establishes the rules of engagement between a manufacturer and the security researcher community. It tells researchers: where to submit vulnerability reports; what information to include; what the manufacturer commits to doing in response (acknowledgement timeline, triage timeline, fix timeline); what constitutes in-scope and out-of-scope research; and what legal protections researchers can expect. A VDP is the operational specification for an organisation's coordinated vulnerability disclosure process. Without a published VDP, researchers have no reliable basis for trusting that their report will be handled appropriately, and many will simply publish their findings rather than report them privately.

The CRA's Article 13(6) requires manufacturers to establish and maintain a policy on coordinated vulnerability disclosure. Recital 63 provides additional context, noting that manufacturers must make it possible for security researchers, users, and others to report vulnerabilities through accessible channels. A CRA-compliant VDP must at minimum: designate a contact channel (email address or web form) for receiving vulnerability reports; state acknowledgement and response timelines; define the manufacturer's approach to coordinating with the reporter before public disclosure; include a safe harbour clause protecting good-faith researchers from legal action; and be publicly accessible. The policy should also be referenced from the product's security.txt file for discoverability by automated security research tools.

These three terms are sometimes used interchangeably but have distinct meanings. A VDP (Vulnerability Disclosure Policy) is the policy document — it defines the rules. A CVD policy is sometimes used synonymously with VDP, or may refer more specifically to the process for handling reports once received. A bug bounty programme is an optional financial incentive layer on top of a VDP — it rewards researchers with cash or recognition for valid findings. The CRA mandates a VDP (or equivalent CVD policy); a bug bounty is optional and complementary. Running a bug bounty without the underlying policy infrastructure is insufficient for CRA compliance, and maintaining a VDP alone — without a financial reward — fully satisfies the CRA obligation.

Publishing a VDP is the first step; operating it is the continuous obligation. An effective VDP operation requires:

• Monitored inbox: The disclosed contact channel must be actively monitored — ideally with an SLA of within one business day for initial triage.
• Acknowledgement within 5 days: ENISA's CVD Good Practice Guide and industry standards expect acknowledgement within five business days of report receipt.
• Triage process: Reported vulnerabilities must be assessed for validity, severity (using CVSS or EPSS), and remediation priority.
• Researcher communication: Keep reporters updated on progress — silence breeds public disclosure.
• Resolution tracking: Log all reports, their disposition, and timeline to demonstrate compliance to MSAs.

CVD Portal automates the intake, triage routing, and resolution tracking components of VDP operation.