Category guide

Vulnerability Disclosure Platform (VDP)

A VDP is the operational layer that lets security researchers tell you about flaws in your product without it being awkward, risky, or slow for either side. This guide explains what a VDP does, what to look for in one, and how the EU Cyber Resilience Act changes the requirements for European manufacturers.

Why VDPs exist

Security researchers find vulnerabilities. Without a clear, published channel, those findings either get published unilaterally (full disclosure), sold on grey markets, or sit on a researcher's laptop indefinitely. A VDP makes coordinated disclosure the path of least resistance. It is the difference between learning about a flaw from a researcher email and learning about it from a journalist asking for comment.

ISO/IEC 29147 is the international standard for vulnerability disclosure processes. ISO/IEC 30111 covers internal handling. Together they describe what a competent VDP looks like. The CRA now turns parts of this into a binding obligation for EU manufacturers.

Six components of a real VDP

Anything calling itself a vulnerability disclosure platform should cover all six. If something is missing, you will pay for it in coordination overhead later.

1

Published policy with safe-harbor language

Researchers will not report into a black box. The policy should describe scope, authorised testing methods, response timelines, and a clear safe-harbor statement that protects good-faith research.

2

Structured intake under your brand

A whitelabel form and email address ([email protected] or your own domain) collect reports in a consistent shape. PGP support matters for sensitive submissions.

3

Acknowledgment SLA

ISO/IEC 29147 sets a 48h acknowledgment expectation. The platform should send the acknowledgment automatically and track responder follow-up.

4

Triage workflow

Severity assessment, duplicate detection, status tracking, and internal handoff to engineering. Without this the inbox becomes the bottleneck.

5

Coordinated disclosure timeline

Agreed-upon disclosure date, embargo handling, and a clean publication of the resulting advisory. CSAF 2.0 is the machine-readable format expected by the security industry.

6

Audit trail

Timestamps on every event. Required for regulator-facing posture under the CRA and useful for internal post-mortems.

Frequently asked

What is a vulnerability disclosure platform?
A vulnerability disclosure platform (VDP) is software that operates the intake, triage, and tracking of security reports about a product or service. It typically includes a public-facing policy page, a structured submission form, acknowledgment automation, a triage workflow, and an audit trail. Some VDPs also include researcher payment (bug bounty), but payment is not required.
Is a VDP the same as a bug bounty platform?
No. A VDP is the intake and coordination layer. A bug bounty programme adds financial incentives for researchers. You can run a VDP without a bounty. Many regulated industries do, because the legal and operational obligation is to receive and handle reports, not to pay for them.
Does the EU CRA require a VDP?
Article 13 of the Cyber Resilience Act requires every manufacturer of products with digital elements to have a coordinated vulnerability disclosure policy and a single point of contact. In practice this means operating a VDP. The regulation does not mandate a specific platform.
What is the difference between a VDP and a CVD portal?
The terms overlap heavily. A VDP is the broader US industry term; a CVD portal is the term more common in EU regulatory and standards documents (ISO/IEC 29147). For the CRA use case, the practical requirement is the same: a published policy, an intake channel, an acknowledgment SLA, and a documented coordination process.
How long does it take to stand up a VDP?
With CVD Portal, the technical setup is under an hour: register, customise branding, publish the policy URL in your security.txt. The longer work is internal: agreeing on triage owners, response SLAs, and disclosure embargo defaults. Most manufacturers complete this in two to four weeks.
How does CVD Portal differ from generic VDPs?
CVD Portal is purpose-built for the CRA manufacturer scope. It includes the Article 14 reporting workflow (24h, 72h, final report to ENISA and the relevant national CSIRT), CSAF 2.0 advisory generation, and EU data residency by default. Generic VDPs cover the intake and triage layer; they typically do not cover the regulator-reporting side.

Run your VDP on a CRA-native platform

Whitelabel intake. 48h acknowledgment tracking. Article 14 reporting workflow. EU data residency by default.

Start your free portalCompare alternatives