Cyber Resilience Act · Annex I Part 2

CVD policy generator

The Cyber Resilience Act requires manufacturers to have a documented coordinated vulnerability disclosure policy. Fill in the form and instantly receive a print-ready CVD policy (aligned with ISO/IEC 29147 and 30111) and a security.txt per RFC 9116. Everything runs entirely in your browser.

Your details

e.g. company, street, postcode city, country — appears as the responsible party.

For encrypted submission of vulnerabilities (ISO/IEC 29147 recommends a secure channel).

e.g. "All products with digital elements manufactured by {company}".

e.g. https://your-domain.com/en/cvd-policy — used as the Policy field in security.txt.

This tool is aimed exclusively at entrepreneurs / businesses (§ 14 German Civil Code).

Preview: CVD policy

Coordinated Vulnerability Disclosure Policy (CVD policy)

[Company name]

1. Scope

This Coordinated Vulnerability Disclosure (CVD) policy applies to all products with digital elements manufactured by [Company name].

It describes how security researchers and third parties can report potential vulnerabilities to [Company name] and how [Company name] handles them. It implements the requirement of the Cyber Resilience Act (Reg. (EU) 2024/2847, Annex I Part 2 No. 5) for a coordinated vulnerability disclosure policy and is aligned with ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling).

2. Reporting a vulnerability

Please report suspected vulnerabilities to security@example.com.

We recommend confidential submission. On request we provide a channel for encrypted communication.

Helpful information includes: affected product and version, a description of the vulnerability, steps to reproduce, potential impact and — if available — a proof of concept. Please do not submit real personal data of third parties.

3. Our process and committed timelines

We acknowledge receipt of a report within 3 business days.

We assess and handle reported vulnerabilities using a structured process aligned with ISO/IEC 30111 (triage, analysis, remediation, follow-up). We keep you updated on progress at reasonable intervals.

We aim to remediate confirmed vulnerabilities within 90 days of receiving the report, or to agree on a coordinated treatment. This period may be extended for complex cases or where coordination with third parties (e.g. component suppliers) is required; we will inform you in such cases.

4. Coordinated disclosure

We prefer coordinated disclosure. After remediation and in coordination with the reporter, we will — where appropriate — publish security information (an advisory), possibly with a CVE identifier. We ask that details be kept confidential until a fix is available or until the agreed disclosure period of 90 days has elapsed.

Where an exploitable vulnerability within the meaning of the CRA exists, we additionally comply with our notification and information obligations towards the competent authorities and affected users.

5. Recognition

We value the work of security researchers. On request, we will credit you as the reporter in our advisories (acknowledgement / "hall of fame"), provided the report was made in accordance with this policy.

6. Safe harbor

We consider security research conducted in good faith and in accordance with this policy to be authorised. [Company name] will not initiate legal action against persons who comply with this policy for their security research, and will not treat such reports as malicious.

The safe-harbor commitment does not cover, in particular: accessing or altering third-party data, intentionally degrading availability (e.g. denial of service), social engineering of employees, or any action beyond what is necessary to confirm a vulnerability. This commitment does not waive any rights against third parties and applies without prejudice to mandatory statutory provisions.

Template, not legal advice — review before publishing. This document is a schematic assembly of your input (§ 2 German Legal Services Act) and does not replace an examination of your individual case by a qualified lawyer.

Preview: security.txt (RFC 9116)

# Coordinated Vulnerability Disclosure — security.txt (RFC 9116)
# Company

Contact: mailto:security@example.com
Expires: 2027-07-18T19:41:20Z
Preferred-Languages: en, de

# Hinterlegen unter https://<ihre-domain>/.well-known/security.txt
# Empfohlen: Datei mit dem im Encryption-Feld genannten Schlüssel signieren (RFC 9116, Abschnitt 2.3).

Finished package by e-mail

You can already see the full preview. We will additionally send you the finished package (print-ready CVD policy as PDF + security.txt for /.well-known/security.txt) for free by e-mail.

Need help implementing it?