OEM Manufacturer CVD Policy Template

[COMPANY NAME] designs and manufactures [DESCRIPTION OF PRODUCTS, e.g. embedded computing modules, wireless communication modules, hardware security modules, industrial communication components] that are supplied to other manufacturers (system integrators and OEM customers) for integration into their finished products.

This Coordinated Vulnerability Disclosure (CVD) Policy reflects our unique position as an OEM supplier: we receive vulnerability reports from security researchers about our components, and we have an obligation to notify our downstream OEM customers who have integrated those components into their own products.

This policy is published in compliance with Article 13 of the EU Cyber Resilience Act (Regulation (EU) 2024/2847). As a supplier of components to downstream manufacturers, [COMPANY NAME] operates in the supply chain role described in CRA Articles 17 and 18, which place obligations on both us and our downstream customers regarding vulnerability notification and handling.

[COMPANY NAME] commits to:

1. Operating a public CVD programme to receive and respond to inbound researcher reports
2. Notifying downstream OEM customers of confirmed vulnerabilities in components we supply to them
3. Coordinating disclosure timelines with both researchers and downstream customers
4. Meeting Article 14 notification obligations where applicable

This policy covers the following [COMPANY NAME] components and software:

| Component | Type | Supplied To | Supported Versions | |-----------|------|-------------|--------------------| | [COMPONENT 1] | [Hardware module / Firmware / SDK] | [OEM customers] | [Version X.x and later] | | [COMPONENT 2] | [Communication module] | [System integrators] | [Firmware 2.x and later] | | [SDK / LIBRARY 1] | [Software library] | [OEM software customers] | [Version 3.x and later] | | [REFERENCE DESIGN 1] | [Hardware reference design + firmware] | [ODM customers] | [All supported revisions] |

Downstream integration contexts in scope: This policy applies regardless of what finished product our component is integrated into by an OEM customer.

Not covered by this policy:

• Custom-developed firmware or software created specifically for a single OEM customer (covered by that customer's bilateral security agreement)
• End products manufactured by OEM customers — vulnerabilities in the OEM customer's product as a whole should be reported to that manufacturer
• Components at end-of-life (see [SUPPORT PAGE URL])
• Vulnerabilities introduced by OEM customer modifications to our components

To report a security vulnerability in any [COMPANY NAME] component or software, please use:

Preferred: Submit via our vulnerability disclosure portal: [PORTAL URL]

Email: [[email protected]] PGP encryption: Key fingerprint [FINGERPRINT] | Available at [KEY URL]

security.txt: https://[YOUR-DOMAIN]/.well-known/security.txt

Please include in your report:

• The affected [COMPANY NAME] component name, part number, and firmware/software version
• Whether you encountered this vulnerability in a [COMPANY NAME] reference design or in a finished product from an OEM customer
• A description of the vulnerability and its potential impact
• Steps to reproduce
• Whether you believe downstream OEM customer products may be affected

If you encountered this vulnerability in a finished product (i.e. a product manufactured by a company other than [COMPANY NAME] that uses our component internally): please also report directly to that manufacturer. We will coordinate with them, but they may have independent obligations to their customers and regulators.

We accept reports in [LANGUAGE(S)] and treat all reports as confidential.

[COMPANY NAME] acknowledges all vulnerability reports within 48 hours of receipt and performs initial triage within 5 business days.

Triage includes:

1. Confirming the vulnerability exists in [COMPANY NAME] component code (not OEM customer additions)
2. Identifying all affected component versions and variants
3. Assessing CVSS 4.0 severity
4. Estimating downstream exposure — identifying which OEM customer product lines integrate the affected component version

OEM downstream exposure assessment:

For each confirmed vulnerability, we assess:

• Number of OEM customers who have integrated the affected component version
• Estimated number of end-user products in the field that contain the affected component
• Whether the OEM customer's product integration or configuration mitigates or exacerbates the vulnerability
• Whether any affected OEM customer products are deployed in regulated sectors (critical infrastructure, healthcare, etc.)

This exposure assessment determines the priority and process for downstream customer notification (see Section 5).

Response timeline commitments:

| Severity | Acknowledgment | Triage | Patch Target | |----------|---------------|--------|--------------| | Critical | 48 hours | 1 business day | [15] calendar days | | High | 48 hours | 3 business days | [30] calendar days | | Medium | 48 hours | 5 business days | [60] calendar days | | Low | 48 hours | 10 business days | [90] calendar days |

Upon confirming a vulnerability of Medium severity or above, [COMPANY NAME] will notify affected downstream OEM customers according to the following process:

Notification timeline:

| Severity | Downstream Customer Notification | |----------|-----------------------------------| | Critical | Within [2] business days of confirmation | | High | Within [5] business days of confirmation | | Medium | Within [10] business days of confirmation | | Low | Included in next regular security bulletin |

Notification contents:

Each downstream customer notification includes:

• [COMPANY NAME] component name and affected version(s)
• Vulnerability description (technical, at a level appropriate for their engineering team)
• CVSS base score and severity rating
• Affected hardware and firmware/software configurations
• Patch version or workaround
• Estimated public disclosure date
• Instructions for customers to assess their own product exposure
• Contact for questions: [PSIRT EMAIL]

Customer NDA and embargo:

Downstream customer notifications are issued under mutual NDA and embargo until public disclosure. OEM customers must not publish information about the vulnerability before [COMPANY NAME]'s coordinated public disclosure date, which is coordinated with both the original reporter and affected customers.

Customer failure to apply patch:

If an OEM customer has not applied a patch within [30] days of availability for a Critical vulnerability, [COMPANY NAME] will escalate to that customer's executive security contact. We will not delay public disclosure to accommodate a customer's patch schedule.

Embargo management

[COMPANY NAME] manages a multi-party coordinated disclosure process that involves:

1. The original security researcher (if externally reported)
2. Downstream OEM customers who integrate the affected component
3. [COMPANY NAME]'s own PSIRT and engineering teams

Disclosure timeline:

• Day 0: Vulnerability report received
• Day 2: Internal triage complete; downstream customers notified (Critical) or notification scheduled
• Day [X]: Patch available to downstream customers
• Day [X+5]: Public security advisory published (or 90 days from Day 0, whichever is earlier for standard cases)

Embargo conditions:

OEM customers who receive advance notification are bound by the following embargo conditions:

• Do not disclose vulnerability details to third parties outside your security team without [COMPANY NAME]'s consent
• You may disclose to your own customers that a security update is pending, without disclosing technical details
• You may disclose to your own regulators under confidentiality if legally required

Early disclosure by a downstream customer:

If an OEM customer publishes vulnerability information before the coordinated disclosure date, [COMPANY NAME] will accelerate public advisory publication to prevent a situation where partial information is in the public domain without [COMPANY NAME]'s complete advisory.

Reporter timeline rights:

[COMPANY NAME] will not use downstream customer coordination as justification to extend the coordinated disclosure timeline beyond 90 days from the original report date without the original reporter's explicit consent.

Where a confirmed vulnerability in [COMPANY NAME] components meets the Article 14 threshold — actively exploited or constituting a severe security incident — [COMPANY NAME] will:

1. Submit an early warning to ENISA within 24 hours of becoming aware
2. Submit a full notification to ENISA within 72 hours
3. Submit a final report within 14 days

For OEM components, Article 14 thresholds are particularly relevant where:

• The vulnerability is actively exploited across multiple OEM customer products simultaneously
• The vulnerability is exploited in products deployed in critical infrastructure (even if [COMPANY NAME] is not the end product manufacturer)
• The vulnerability enables supply chain-level attacks affecting a large number of downstream products

Coordinating Article 14 with downstream customers:

Where [COMPANY NAME] files an Article 14 notification regarding a component vulnerability, we will:

• Notify affected downstream OEM customers of the notification before it is filed (where the 24-hour timeline permits)
• Share a summary of the notification with affected customers to enable them to assess their own Article 14 or NIS2 obligations
• Coordinate the public disclosure timeline with the Article 14 notification process

Downstream OEM customers who are themselves manufacturers of products with digital elements may have independent Article 14 obligations regarding the vulnerability in their finished products.

[COMPANY NAME] authorises good-faith security research on [COMPANY NAME] components and reference designs conducted in accordance with this policy.

We will not take legal action against researchers who:

• Follow this policy
• Use components or systems they own or have explicit permission to test
• Limit testing to what is strictly necessary to confirm the vulnerability
• Report to us before any public or third-party disclosure

OEM customer products: Security research conducted on finished products manufactured by [COMPANY NAME]'s OEM customers is subject to those customers' own CVD policies, not this policy. [COMPANY NAME] cannot extend safe harbour protections to research conducted on OEM customer products.

Component availability for research:

[COMPANY NAME] makes [COMPONENT EVALUATION KITS / DEVELOPMENT MODULES] available for purchase through [DISTRIBUTION CHANNEL]. Security researchers may use these evaluation kits for research under this policy's safe harbour without needing special permission from [COMPANY NAME].