Coordinated Vulnerability Disclosure Policy Template

[COMPANY NAME] believes that responsible disclosure of security vulnerabilities makes our products safer for everyone. This Coordinated Vulnerability Disclosure (CVD) Policy describes how we work with security researchers and customers to identify, validate, and remediate security vulnerabilities in [COMPANY NAME] products and services.

This policy applies to all [COMPANY NAME] products, services, and digital infrastructure. It does not apply to vulnerabilities in third-party services or open-source components not directly maintained by [COMPANY NAME].

To report a potential security vulnerability, please contact our security team:

Portal (preferred): [VULNERABILITY DISCLOSURE PORTAL URL] Email: [[email protected]] PGP key: Available at [PGP KEY URL] (fingerprint: [FINGERPRINT])

Please provide as much detail as possible, including:

• Product name, version, and platform
• Description of the vulnerability and its potential impact
• Step-by-step reproduction instructions
• Proof of concept (screenshots, code, or video)
• Whether the issue is already known or being exploited

We commit to the following timeline:

| Milestone | Target | |---|---| | Acknowledgment of receipt | Within 48 hours | | Initial severity assessment | Within 5 business days | | Remediation plan communicated | Within 30 days | | Regular status updates | At least every 30 days | | Patch release or advisory | As soon as practicable |

We will keep you informed throughout the process and notify you when the issue is resolved.

[COMPANY NAME] requests a coordinated disclosure period of [90] calendar days from the date of initial report. During this period:

1. We will work to validate, reproduce, and remediate the vulnerability.
2. We will keep you updated on progress at least every 30 days.
3. We ask that you refrain from publishing vulnerability details until a patch or advisory is available.

If a vulnerability is actively being exploited in the wild, we may accelerate the timeline and issue an advisory with or without a complete fix. We will always notify you before public disclosure.

If we cannot remediate within the coordinated period, we will discuss an extension with you and explain the reasons for the delay.

[COMPANY NAME] will not pursue legal or regulatory action against researchers who:

• Discover and report vulnerabilities in good faith under this policy
• Avoid intentional harm to users, services, or data beyond what is strictly necessary to demonstrate the issue
• Do not access, modify, or exfiltrate data beyond what is needed for proof of concept
• Notify us before disclosing to any third party
• Comply with applicable law in their jurisdiction

We consider good-faith research conducted under this policy to be authorised and will communicate this to law enforcement if necessary.

[COMPANY NAME] recognises the contributions of security researchers who help us improve the security of our products. With your permission, we will:

• Acknowledge your contribution in the security advisory for the vulnerability
• List your name or handle in our security acknowledgments page at [ACKNOWLEDGMENTS URL]

We do not currently offer a bug bounty programme. If that changes, we will update this policy.

All researchers will receive confirmation that their report contributed to a fix, regardless of whether they wish to be publicly credited.

When a vulnerability is resolved, [COMPANY NAME] will publish a security advisory that includes:

• CVE identifier (where assigned)
• CVSS 3.1 or 4.0 severity score
• Affected products and versions
• Fixed versions
• Remediation guidance for users
• Acknowledgment of the reporting researcher (with permission)

Advisories are published at [ADVISORY URL] and distributed via [RSS FEED / EMAIL LIST / SECURITY MAILING LIST].

For qualifying vulnerabilities, advisories are also published in CSAF 2.0 format for machine-readable consumption.