What is the difference between responsible disclosure and coordinated vulnerability disclosure?

The terms are largely interchangeable in practice. 'Responsible disclosure' is the older, more researcher-facing term. 'Coordinated vulnerability disclosure' (CVD) is the term used in ISO 29147 and the EU Cyber Resilience Act. Both describe the same process: reporting vulnerabilities to the vendor before publishing, allowing time for a fix.

Do you offer a bug bounty?

This template does not include a bug bounty programme. If you wish to add financial rewards, add a Bug Bounty section specifying the scope, reward criteria, and payment process. Note that bug bounties are separate from your CRA CVD policy obligations.

What if I find a vulnerability in a third-party component?

Please still report it to us. We will assess the impact on our products and coordinate with the upstream maintainer as needed.

Can I publish a blog post about a vulnerability I found?

We request that you coordinate with us on timing and content before publishing. Our standard disclosure window is [90] days, after which you are free to publish. We are happy to collaborate on joint advisories.

← All templates

Free Template

Responsible Disclosure Policy Template

A responsible disclosure policy template for manufacturers and software publishers. Uses 'responsible disclosure' terminology familiar to the security research community while meeting CRA Article 13 obligations.

Article 13

ForSoftware companies and hardware manufacturers who want to adopt security researcher-friendly language while meeting EU regulatory requirements

CRA Articles

Article 13

Our Commitment to Security

Article 13(1)

[COMPANY NAME] takes the security of our products seriously. We recognise that independent security researchers play an important role in identifying vulnerabilities before they can be exploited.

This Responsible Disclosure Policy sets out how to report security vulnerabilities to us, and what you can expect from us in return.

Note

Responsible disclosure language is widely recognised in the security community and signals openness to researcher collaboration. The CRA uses 'coordinated vulnerability disclosure' — both terms are acceptable in practice.

What We Ask of Researchers

When researching and reporting vulnerabilities, please:

Act in good faith — do not intentionally harm [COMPANY NAME], our users, or our services
Minimise impact — only access the data necessary to demonstrate the vulnerability
Report promptly — notify us as soon as you discover a potential vulnerability
Coordinate disclosure — give us reasonable time to respond before publishing
Keep it confidential — do not share details with others until we have addressed the issue
Follow the law — research within the bounds of applicable law

Note

Framing researcher obligations as requests rather than demands creates a more collaborative tone. The security research community responds better to 'please do X' than 'you must do X'.

How to Report

Article 13(1)

Email: [[email protected]] Portal: [PORTAL URL] (for structured reports with automatic acknowledgment) PGP: Key fingerprint [FINGERPRINT] for encrypted reports

Please include:

Which product or service is affected
A description of the vulnerability
Steps to reproduce
Potential impact
Any relevant screenshots or proof-of-concept code

We do not accept vulnerability reports via support tickets, social media, or public forums.

Note

Offering both email and a portal gives researchers flexibility. The portal creates an automatic audit trail — important for demonstrating CRA compliance.

What to Expect from Us

Article 13(1)

When you submit a vulnerability report, [COMPANY NAME] will:

✓ Acknowledge your report within 48 hours ✓ Keep you informed of our investigation progress ✓ Work with you to understand and validate the issue ✓ Notify you when we have released a fix ✓ Credit you publicly for your discovery (if you wish) ✓ Not pursue legal action against you for good-faith research under this policy

Note

The checkmark format is visually clear and easy to scan. Committing to no legal action here (safe harbour) in positive terms — 'will not pursue' — is more reassuring than listing conditions.

Disclosure Timeline

Article 13(4)

[COMPANY NAME] follows a [90]-day disclosure window from initial report. This means:

We aim to release a patch or advisory within [90] days of your report
We will discuss the timeline with you if we need more time
We will provide advance notice before we publish our advisory
We will coordinate with you on the content of any public disclosure

If a vulnerability is being actively exploited in the wild, we will prioritise faster remediation and disclosure.

Note

90 days is the industry standard. Mentioning active exploitation handling shows researchers you understand the urgency dimension — and it aligns with your Article 14 internal obligations.

Safe Harbour

If you discover and report a vulnerability in good faith and in accordance with this policy, [COMPANY NAME] will not:

Pursue legal or civil action against you
Report you to law enforcement
Terminate or restrict your access to our products solely because of your research

This safe harbour applies provided you did not intentionally access data beyond your own, did not disrupt our services, and reported to us before any public disclosure.

Note

A clear, positive safe harbour statement is the most important element of any responsible disclosure policy. It is what convinces researchers to report to you rather than to the public.

Hall of Fame

[COMPANY NAME] maintains a public acknowledgment page at [HALL OF FAME URL] listing researchers who have responsibly disclosed vulnerabilities to us.

If you would like to be recognised, let us know your preferred name or alias when submitting your report. Recognition is entirely optional — you may report anonymously if you prefer.

Note

A Hall of Fame (or Security Acknowledgments page) is a low-cost but effective way to incentivise responsible disclosure. Many researchers value recognition as much as or more than financial rewards.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free, forever.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

Basic CVD Policy Template

A straightforward coordinated vulnerability disclosure policy aligned with ISO/IEC 29147. Covers the core commitments expected by security researchers and satisfies CRA Article 13 requirements.

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

EU CVD Policy Template

A CVD policy template specifically written for EU manufacturers placing products on the European market. References EU-specific obligations (CRA, NIS2 intersection, ENISA), using terminology aligned with EU regulatory guidance.