On 15 July 2026, five national cyber security authorities published a joint guide titled "Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers". The authoring organizations are the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), the Netherlands' National Cyber Security Centre (NCSC-NL) and the United Kingdom's National Cyber Security Centre (NCSC-UK). The document is marked TLP:CLEAR and is freely available from CISA.
The guide asks suppliers to take three key actions. Create and publish a vulnerability disclosure policy (VDP). Define processes to triage, remediate and assign CVE identifiers for reported vulnerabilities. Leverage intermediaries such as national CSIRTs to substitute or supplement the program.
Why this matters for EU manufacturers
The guide explicitly references the EU Cyber Resilience Act. It notes that the CRA requires all suppliers operating in the European Union to maintain a vulnerability disclosure policy. This is international convergence. What the CRA mandates for the EU market is now recommended practice by the security authorities of the United States, Japan, the Netherlands and the United Kingdom. A manufacturer that builds its CVD program for CRA compliance is simultaneously meeting the bar these five agencies have set.
How CVD Portal aligns with the guidance
We reviewed the guide recommendation by recommendation and mapped each one against the platform. The result is summarised below.
| Guide recommendation | CVD Portal coverage |
|---|---|
| Create and publish a VDP | Every portal ships with a disclosure policy aligned with ISO/IEC 29147, BSI TR-03183-3 and CRA Articles 13 and 14, published on the tenant's public portal. A free policy generator is available to anyone. |
| Be public, open participation | Portals are fully public. Researchers submit without an account and can report anonymously. Report status is tracked through a private link with no login. |
| Set the widest scope possible | The default policy authorizes testing across products and services. Per-product scope can be defined with the policy generator. |
| Clearly state prohibited activities | The policy prohibits introducing malware, copying or deleting data, system changes, repeated or shared access, brute force attacks, denial of service and social engineering, matching the guide's full list. |
| Specify minimum reporting requirements | The submission form captures affected product, vulnerability category, summary, steps to reproduce and security impact. Contact details are optional. |
| Use security.txt (RFC 9116) | Each portal auto-generates an RFC 9116 security.txt with managed expiry. A free security.txt generator and a conformance scanner are included. |
| Offer safe harbor | The policy contains a good-faith safe harbor clause committing the company to pursue no legal action against researchers acting within the policy. |
| Set sharing expectations | Reports are handled confidentially and researcher data is never shared without consent. |
| Establish reasonable time frames | The policy commits to coordinated disclosure within 90 days. Per-severity resolution SLAs and configurable acknowledgement and triage targets are tracked automatically. |
| Acknowledge outreach within 2 to 3 business days | Researchers receive an automatic confirmation with a reference number the moment they submit. Acknowledgement SLA performance is measured on the analytics dashboard. |
| Triage and assess severity | Built-in CVSS scoring on every submission, with optional AI-assisted triage that suggests severity, duplicates and Article 14 relevance. A human always decides. |
| Develop fixes | Structured remediation decisions (fix, workaround, accept, transfer) with deadlines, rationale and post-release fix verification. |
| Assign CVE IDs and publish records | A guided CVE workflow tracks requested, reserved and published states. Suggested CVE matches are surfaced from EUVD and NVD data. |
| Develop customer communications | Advisories are published as machine-readable CSAF 2.0 documents with full provider distribution, plus public human-readable advisory pages and an RSS feed. No login, no paywall. Researchers who consent are credited by name in published advisories. |
| Review and update the program | The analytics dashboard tracks mean time to acknowledge, mean time to resolve, SLA rates and submission trends for management review. |
| Leverage intermediaries | Actively exploited vulnerabilities can be escalated to ENISA and the designated national CSIRT through the built-in Article 14 reporting workflow. |
| Avoid blanket disclosure restrictions | The policy states that signing an NDA will never be a condition of reporting or coordination. |
Where we go further
The guide recommends practices the CRA already turns into hard obligations for the EU market. CVD Portal automates those obligations directly, including the 24-hour, 72-hour and 14-day Article 14 reporting timers and submission of early warnings and notifications to the ENISA Single Reporting Platform.
A few edges remain. The guide mentions SSVC as a prioritisation option and CVD Portal currently standardises on CVSS. Bug bounty payouts are out of scope by design. The guide treats bounties as optional and many manufacturers deliberately run a CVD program without one.
The joint guide closes with a warning that neglecting to establish a CVD program may jeopardize customer security and erode trust within the security community. For manufacturers selling into the EU that risk is now also regulatory. A CVD program aligned with this guidance can be live on CVD Portal in minutes, starting on the free tier.
Launch a CVD program that follows the joint guidance out of the box.
Get started free