Establish and publish a coordinated vulnerability disclosure (CVD) policy

Article 13(7) of Regulation (EU) 2024/2847 and Annex I Part II §1 require that manufacturers shall:

• Identify and document vulnerabilities and components contained in the product
• Have a policy for coordinated vulnerability disclosure
• Take measures to facilitate the sharing of information about potential vulnerabilities

The CVD policy must be publicly accessible so that external reporters can find it.

1. Public CVD policy — published on your website and discoverable
2. Security contact — dedicated email address or web form for vulnerability reports (e.g. security@example.com)
3. security.txt file — publish at /.well-known/security.txt per RFC 9116 to make the contact machine-discoverable
4. Acknowledgement commitment — state a timeframe for acknowledging receipt (ENISA recommends ≤ 5 business days)
5. Disclosure timeline — describe the coordinated disclosure process, including how you handle embargo periods with researchers
6. Scope statement — indicate which products and versions the policy covers

Based on ENISA's CVD guidelines and CRA Annex I Part II:

• Contact address and preferred contact method
• PGP / S/MIME key for encrypted submissions (recommended)
• Languages supported for reports
• Acknowledgement timeframe
• Expected timeline for remediation updates
• Disclosure coordination process (embargo, researcher credit, CVE assignment)
• Safe-harbour statement for good-faith researchers

• Published CVD policy (URL)
• /.well-known/security.txt file
• Vulnerability intake log (confidential — not publicly required)
• Records of reports received and how they were handled