Coordinated vulnerability disclosure (CVD) is a process by which vulnerabilities finders work together and share information with the relevant stakeholders such as vendors and ICT infrastructure owners. CVD ensures that software vulnerabilities get disclosed to the public once the vendor has been able to develop a fix, a patch, or has found a different solution.
National CVD policies are national frameworks of rules and agreements designed to ensure:
- researchers contact the right parties to disclose the vulnerability;
- vendors can develop a fix or a patch in a timely manner;
- researchers get recognition from their work and are protected from prosecution.
The European Union Agency for Cybersecurity (ENISA) published recently a report that maps the national Coordinated Vulnerability Disclosure (CVD) policies in the EU Member States, compares the different approaches, highlights good practices and makes recommendations.
Find the report here.