CVD policy generator
A coordinated vulnerability disclosure policy is a hard requirement under Annex I Part II (5) — and good practice regardless. Five inputs, one solid policy.
CVD policy (Markdown)
# Coordinated Vulnerability Disclosure Policy _Last updated: 2026-07-03_ [Company] welcomes reports from security researchers and the public. We take every report seriously and investigate all legitimate submissions. ## Scope This policy applies to: [list your products/domains in scope] Out of scope: social engineering, physical attacks, denial of service testing, spam, and issues in third-party services we do not control. ## How to report Email **security@example.com** with: - A description of the issue and where it was found (product + version) - Steps to reproduce (proof-of-concept code or screenshots help) - Impact as you understand it If you prefer encrypted mail, our PGP key is available at [link]. ## What we commit to - **Acknowledgement within 3 business days.** - We will keep you informed of progress toward a fix. - We aim to remediate confirmed vulnerabilities within **90 days**; for actively exploited vulnerabilities we act immediately and comply with our reporting obligations under Article 14 of the EU Cyber Resilience Act. - We will credit you in our advisory if you wish (or keep you anonymous). ## Safe harbor We will not pursue legal action against researchers who: - Make a good-faith effort to follow this policy - Avoid privacy violations, data destruction, and service degradation - Do not access or modify data beyond what is needed to demonstrate the issue - Give us reasonable time to remediate before public disclosure Thank you for helping keep our users safe.
Where to publish:
- As
SECURITY.mdin your repository - As a page on your website (link it from security.txt)
- Reference it in your technical documentation file — auditors look for it