← Back to Blogcompliance

CVD Policy Under the CRA: What a Coordinated Vulnerability Disclosure Process Needs

Article 15 makes coordinated vulnerability disclosure a legal obligation for all CRA-subject manufacturers. Here is what your CVD policy must include and how to make it work in practice.

CRAReady Team·

CVD Is Now a Legal Requirement

Before the CRA, coordinated vulnerability disclosure was a best practice. From December 2027, it is a legal obligation under Article 15. Manufacturers must establish and document a CVD policy, provide a publicly accessible reporting channel, acknowledge vulnerability reports without undue delay, investigate and remediate reported vulnerabilities, disclose information about vulnerabilities and available mitigations, and not prevent researchers from disclosing vulnerabilities after a reasonable coordinated period.

What Your CVD Policy Must Contain

Scope: Define which products and versions the policy covers.

Reporting channel: A dedicated email address (security@yourdomain.com) or a web form. Optionally provide a PGP key for encrypted submissions. The channel must be publicly accessible and consistently monitored.

Acknowledgement timeline: Commit to acknowledging reports within five business days -- the ISO 29147 recommendation.

Default disclosure window: 90 days is the widely accepted standard coordinated disclosure window, extensible by mutual agreement.

Safe harbour: Commit that good-faith security researchers following the policy will not face legal action. Without this, you will receive fewer reports.

CVE assignment: State that you will request CVE identifiers for validated vulnerabilities.

Publish the policy at /security or /vulnerability-disclosure and reference it in a security.txt file at /.well-known/security.txt.

Handling Reports End-to-End

  1. Acknowledge receipt within five business days. 2. Triage: reproduce the issue, assess severity using CVSS. 3. Investigate root cause and scope. 4. Develop a fix: target 7-14 days for critical, 30 days for high. 5. Coordinate disclosure date with the reporter. 6. Request a CVE identifier from a CVE Numbering Authority. 7. Publish a human-readable advisory and machine-readable CSAF document. 8. Notify affected users and push the security update.

CSAF Advisories

Machine-readable CSAF advisories allow customers tools to automatically determine whether they are affected by a vulnerability. Publish at /.well-known/csaf/ with a provider-metadata.json index.

Connecting CVD to Article 14

If a vulnerability reported through your CVD programme is subsequently found to be actively exploited, your Article 14 obligations trigger immediately. CVD and Article 14 must be integrated. Your CVD triage step should include an active exploitation check against threat intelligence feeds, KEV, and EUVD. If exploitation is confirmed, the 24-hour Article 14 clock starts immediately.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker