Free Tool

CVD Policy Generator

Build a complete, publication-ready CVD policy document using a guided five-step wizard. Configure your response timelines, CRA Article 13 and 14 obligations, and product scope, then export a finished Markdown policy you can publish immediately.

Company

Products

Timelines

Recognition

CRA

Step 1 — Company

Company name *

Domain

Security email *

Required by CRA Article 13 — a single, publicly accessible contact.

Vulnerability disclosure portal URL

PGP key URL

Live preview

# Coordinated Vulnerability Disclosure Policy
**[COMPANY NAME]** | https://[YOURDOMAIN.COM]/security

## 1. Introduction
[COMPANY NAME] is committed to the security of our products and services. We welcome reports from security researchers, customers, and partners who discover potential security vulnerabilities. This Coordinated Vulnerability Disclosure (CVD) Policy describes how to report vulnerabilities and what you can expect from us in return.

This policy is maintained in compliance with the EU Cyber Resilience Act (Regulation (EU) 2024/2847), Article 13, and ISO/IEC 29147.

## 2. Scope
This policy applies to all [COMPANY NAME] products and services.

This policy also covers associated cloud services and APIs operated by [COMPANY NAME].

## 3. How to Report
Report security vulnerabilities to our security team via:

- **Email:** security@[YOURDOMAIN.COM]

Please include:
- Product name and version
- Description of the vulnerability and its potential impact
- Step-by-step reproduction instructions
- Proof of concept (screenshots, code, or video)

## 4. Our Commitments
[COMPANY NAME] commits to the following response timeline:

| Milestone | Target |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial severity assessment | Within 5 business days |
| Status updates | At least every 30 days |
| Critical patch | Within 7 days |
| High patch | Within 30 days |
| Medium patch | Within 90 days |

## 5. Coordinated Disclosure
[COMPANY NAME] requests a coordinated disclosure period of **90 days** from the date of your report. We ask that you refrain from publishing vulnerability details until a patch or advisory is available, or until the 90-day period has elapsed.

If a vulnerability is actively being exploited, we may accelerate the timeline and issue an advisory with or without a complete fix. We will always notify you before public disclosure.

## 6. Safe Harbour
[COMPANY NAME] will not pursue legal action against researchers who:

- Discover and report vulnerabilities in good faith under this policy
- Limit testing to systems they own or have explicit permission to test
- Avoid intentional service disruption or data access beyond proof of concept
- Notify us before any public disclosure
- Comply with applicable law

## 7. Recognition
[COMPANY NAME] does not currently offer monetary rewards for vulnerability reports.

With your permission, we will acknowledge your contribution in the security advisory for the vulnerability.

## 8. CRA Article 14 Obligations
Where a reported vulnerability is actively exploited in the wild or constitutes a severe security incident, [COMPANY NAME] will notify ENISA within **24 hours** (early warning) and **72 hours** (full notification) under Article 14 of the EU Cyber Resilience Act.

---
*Last updated: 2026-04-07*

Copy the Markdown and publish it at https://yourcompany.com/security. CVD Portal hosts your policy and tracks compliance automatically.

Frequently asked

Is a CVD policy required under the CRA?

Yes. Article 13(8) of the Cyber Resilience Act requires manufacturers of products with digital elements to have a policy for coordinated vulnerability disclosure in place. The policy must be publicly accessible and describe how vulnerability reports are handled, acknowledged, and remediated.

What should a CRA-compliant CVD policy include?

At minimum: a contact channel for receiving reports, an acknowledgment timeline, a remediation target, rules on coordinated public disclosure (embargo), and a commitment to notify ENISA under Article 14 when active exploitation is discovered. This generator covers all required sections.

Does the generated policy need legal review?

The output is a substantive starting point based on CRA requirements, ISO 29147 good practice, and standard CVD norms. We recommend having your legal counsel review it before publishing, especially if you operate across multiple EU member states.

What is an embargo period in a CVD policy?

An embargo period is the agreed window — typically 90 days — during which the researcher and the vendor work together to produce a fix before the vulnerability details are publicly disclosed. The 90-day norm is established by Google Project Zero and widely adopted.

Ready to automate your CVD programme?

CVD Portal integrates all these tools and handles your Article 13 and 14 obligations automatically.

Start your free portal →