CVD Portal
SECURE DISCLOSURE FRAMEWORK

Coordinated Vulnerability
Disclosure (CVD)

REGULATORY FRAMEWORK

Vulnerability
Disclosure Policy

1. Introduction & Scope

This Coordinated Vulnerability Disclosure (CVD) policy applies to all products and services developed and maintained by Portaregulus.

We consider the security of our systems and the data of our users to be of paramount importance. This policy is designed to ensure a secure, transparent, and legally protected environment for security researchers to report vulnerabilities, in full compliance with the EU Cyber Resilience Act (CRA).

2. EU CRA Alignment

Pursuant to Article 13 (Vulnerability handling requirements) and Article 14 (Reporting obligations of manufacturers) of the Cyber Resilience Act, Portaregulus commits to:
- Actively manage and remediate actively exploited vulnerabilities and severe security incidents.
- Share upstream any vulnerabilities discovered in integrated third-party components to the maintaining entity.
- Submit an early warning to ENISA and the designated national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability (Article 14(2)(a)).
- Submit a full vulnerability notification within 72 hours providing general information on the exploit and any corrective measures (Article 14(2)(b)).
- Submit a final report within 14 days after a corrective or mitigating measure becomes available (Article 14(2)(c)).

3. Reporting Protocol & Safe Harbor

To maintain Safe Harbor status and clear legal protection, you must submit your findings securely through our portal.

Submission Guidelines:
- All reports must be submitted via the Secure Disclosure Form.
- Please provide a detailed technical breakdown, clear steps to reproduce (PoC), and any relevant scripts used.
- We strongly recommend encrypting sensitive findings using our provided PGP Public Key below.

Authorized Testing:
- Research exclusively targeting products actively deployed and managed by Portaregulus.
- Non-disruptive testing focused on identifying flaws without compromising user privacy or service availability.

Prohibited Actions (Strictly Forbidden):
- Denial of Service (DoS): Any payload or action that degrades service availability.
- Data Exfiltration: Accessing, disclosing, or modifying data belonging to other users.
- Social Engineering: Phishing, vishing, or physical access attempts against our employees.

4. Expectations & Service Level Agreements

We follow standard guidelines (such as ISO/IEC 29147) for coordinated disclosure. By reporting a vulnerability to us, you can expect:

  • Acknowledgment: We will acknowledge receipt of your report within 48 hours.
  • Triage & Validation: We will provide an initial assessment of the vulnerability within 10 business days.
  • Status Updates: Transparent updates on our remediation progress at least every 15 calendar days.
  • Coordinated Public Disclosure: You agree to withhold public disclosure until a patch is deployed and validation is complete.

Contact Information:
For any questions regarding this policy or the disclosure process, please contact our security team at [email protected].

Ready to disclose a vulnerability?

ISO/IEC 29147 COMPLIANT SUBMISSION