How quickly will I receive a response?

We acknowledge all reports within 48 hours and provide an initial severity assessment within 5 business days. You will receive status updates at least every 30 days until the vulnerability is resolved.

Can I report anonymously?

Yes. You can submit a report without providing your contact details. We cannot keep you updated or credit you in our advisory if you report anonymously, but we will still investigate and address the vulnerability.

Will I be credited for my report?

Yes — by default we credit researchers who report valid vulnerabilities in our public security advisories. Let us know if you prefer not to be named.

What if the vulnerability is in a third-party component in your product?

Report it to us regardless. We will triage it and coordinate with the upstream component maintainer if required — this is part of our supply chain vulnerability handling obligations under the CRA.

Does this policy apply to legacy or discontinued products?

Products that have reached end-of-life are excluded from this policy. For critical vulnerabilities in discontinued products, we may still respond at our discretion — contact us to discuss.

← All templates

Free Template

Basic CVD Policy Template

A straightforward coordinated vulnerability disclosure policy aligned with ISO/IEC 29147. Covers the core commitments expected by security researchers and satisfies CRA Article 13 requirements.

Article 13

ForSME manufacturers of products with digital elements who need a baseline CVD policy

CRA Articles

Article 13

Introduction and Purpose

Article 13(1)

[COMPANY NAME] is committed to the security of our products and services. We believe that coordinated vulnerability disclosure benefits our customers and the broader digital community.

This policy describes how security researchers and the public can report potential security vulnerabilities in [COMPANY NAME] products, and the commitments we make in response.

Note

Keep this brief. Researchers read many policies and want to reach the reporting instructions quickly. One clear statement of commitment is enough.

Scope

Article 13(4)

This policy applies to vulnerabilities in:

[PRODUCT NAME 1] (versions [X.X] and later)
[PRODUCT NAME 2]
[WEBSITE / API at DOMAIN.COM]

Out of scope:

Products that have reached end-of-life (see [SUPPORT LIFECYCLE URL])
Third-party services not operated by [COMPANY NAME]
Denial-of-service attacks
Social engineering

Note

Be specific about which products are covered. Listing out-of-scope items prevents wasted reports and sets clear expectations for researchers.

How to Report a Vulnerability

Article 13(1)

To report a security vulnerability, contact our security team:

Email: [[email protected]] PGP Key: Fingerprint [FINGERPRINT] — available at [KEY URL] Portal: [PORTAL URL]

We accept reports in English [and LANGUAGE if applicable].

Do not report security vulnerabilities through public issue trackers, social media, or support tickets.

Note

Provide a dedicated security contact. A vulnerability portal (like CVD Portal) starts your 48-hour acknowledgment clock automatically and creates an audit trail for CRA compliance.

What to Include in Your Report

Please include:

Affected product and version
Vulnerability type (e.g. authentication bypass, command injection, insecure update)
Impact: What could an attacker achieve?
Reproduction steps: Step-by-step instructions
Proof of concept: Code, screenshots, or video (optional but helpful)
Your contact details: So we can update you and credit you (optional)

Note

Well-structured guidance here improves report quality, speeds up triage, and reduces back-and-forth with reporters.

Our Commitments

Article 13(1)

[COMPANY NAME] commits to:

Acknowledgment within 48 hours of receiving your report
Initial severity assessment within [5] business days
Status updates at least every [30] days until resolved
Notification when the vulnerability is patched
Credit in our security advisory unless you prefer anonymity

Note

48-hour acknowledgment is the ISO 29147 standard and the CRA Article 13 expectation. Committing to it publicly builds researcher trust and is evidence of a mature process.

Safe Harbour

Security research conducted in good faith and in accordance with this policy is authorised by [COMPANY NAME]. We will not pursue legal action against researchers who:

Comply with this policy
Avoid accessing or modifying data beyond what is necessary to demonstrate the vulnerability
Do not intentionally disrupt our services
Report vulnerabilities to us before public disclosure

[COMPANY NAME] views good-faith research as a contribution to product security.

Note

A safe harbour statement is essential for attracting responsible researchers. Without it, researchers may hesitate to report for fear of legal consequences. Have your legal team review this section.

Coordinated Disclosure

Article 13(4)

[COMPANY NAME] requests [90] days from initial report to address vulnerabilities before public disclosure. We will:

Work with you on disclosure timing
Coordinate with upstream vendors if required
Notify you before publishing any security advisory
Credit you in our advisory if you wish

If you believe a vulnerability requires faster disclosure due to active exploitation, please contact us before proceeding publicly.

Note

90 days is the widely-accepted industry standard (aligned with Google Project Zero). Mentioning upstream vendor coordination is important under the CRA, which requires supply chain vulnerability handling.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free, forever.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

Responsible Disclosure Policy Template

A responsible disclosure policy template for manufacturers and software publishers. Uses 'responsible disclosure' terminology familiar to the security research community while meeting CRA Article 13 obligations.

EU CVD Policy Template

A CVD policy template specifically written for EU manufacturers placing products on the European market. References EU-specific obligations (CRA, NIS2 intersection, ENISA), using terminology aligned with EU regulatory guidance.