Coordinated Vulnerability Disclosure Policy (CVD policy)
[Company name]
1. Scope
This Coordinated Vulnerability Disclosure (CVD) policy applies to all products with digital elements manufactured by [Company name].
It describes how security researchers and third parties can report potential vulnerabilities to [Company name] and how [Company name] handles them. It implements the requirement of the Cyber Resilience Act (Reg. (EU) 2024/2847, Annex I Part 2 No. 5) for a coordinated vulnerability disclosure policy and is aligned with ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling).
2. Reporting a vulnerability
Please report suspected vulnerabilities to security@example.com.
We recommend confidential submission. On request we provide a channel for encrypted communication.
Helpful information includes: affected product and version, a description of the vulnerability, steps to reproduce, potential impact and — if available — a proof of concept. Please do not submit real personal data of third parties.
3. Our process and committed timelines
We acknowledge receipt of a report within 3 business days.
We assess and handle reported vulnerabilities using a structured process aligned with ISO/IEC 30111 (triage, analysis, remediation, follow-up). We keep you updated on progress at reasonable intervals.
We aim to remediate confirmed vulnerabilities within 90 days of receiving the report, or to agree on a coordinated treatment. This period may be extended for complex cases or where coordination with third parties (e.g. component suppliers) is required; we will inform you in such cases.
4. Coordinated disclosure
We prefer coordinated disclosure. After remediation and in coordination with the reporter, we will — where appropriate — publish security information (an advisory), possibly with a CVE identifier. We ask that details be kept confidential until a fix is available or until the agreed disclosure period of 90 days has elapsed.
Where an exploitable vulnerability within the meaning of the CRA exists, we additionally comply with our notification and information obligations towards the competent authorities and affected users.
5. Recognition
We value the work of security researchers. On request, we will credit you as the reporter in our advisories (acknowledgement / "hall of fame"), provided the report was made in accordance with this policy.
6. Safe harbor
We consider security research conducted in good faith and in accordance with this policy to be authorised. [Company name] will not initiate legal action against persons who comply with this policy for their security research, and will not treat such reports as malicious.
The safe-harbor commitment does not cover, in particular: accessing or altering third-party data, intentionally degrading availability (e.g. denial of service), social engineering of employees, or any action beyond what is necessary to confirm a vulnerability. This commitment does not waive any rights against third parties and applies without prejudice to mandatory statutory provisions.
Template, not legal advice — review before publishing. This document is a schematic assembly of your input (§ 2 German Legal Services Act) and does not replace an examination of your individual case by a qualified lawyer.