CRAdarCheck

CVD policy generator

A coordinated vulnerability disclosure policy is a hard requirement under Annex I Part II (5) — and good practice regardless. Five inputs, one solid policy.

CVD policy (Markdown)
# Coordinated Vulnerability Disclosure Policy

_Last updated: 2026-07-03_

[Company] welcomes reports from security researchers and the public. We take every
report seriously and investigate all legitimate submissions.

## Scope

This policy applies to: [list your products/domains in scope]

Out of scope: social engineering, physical attacks, denial of service testing,
spam, and issues in third-party services we do not control.

## How to report

Email **security@example.com** with:

- A description of the issue and where it was found (product + version)
- Steps to reproduce (proof-of-concept code or screenshots help)
- Impact as you understand it

If you prefer encrypted mail, our PGP key is available at [link].

## What we commit to

- **Acknowledgement within 3 business days.**
- We will keep you informed of progress toward a fix.
- We aim to remediate confirmed vulnerabilities within **90 days**; for
  actively exploited vulnerabilities we act immediately and comply with our
  reporting obligations under Article 14 of the EU Cyber Resilience Act.
- We will credit you in our advisory if you wish (or keep you anonymous).

## Safe harbor

We will not pursue legal action against researchers who:

- Make a good-faith effort to follow this policy
- Avoid privacy violations, data destruction, and service degradation
- Do not access or modify data beyond what is needed to demonstrate the issue
- Give us reasonable time to remediate before public disclosure

Thank you for helping keep our users safe.

Where to publish:

  • As SECURITY.md in your repository
  • As a page on your website (link it from security.txt)
  • Reference it in your technical documentation file — auditors look for it