Implement your own Coordinated Vulnerability Disclosure policy

Report a vulnerability (CVD)

Implement a CVD policy

Researchers or organisations regularly discover new vulnerabilities in products or services. The person making the discovery can inform the owners of these products through Coordinated Vulnerability Disclosure. As a result, owners can implement measures before the vulnerabilities are actively exploited by third parties. The NCSC has operated a policy for Coordinated Vulnerability Disclosure (CVD) for quite some time now. This policy was previously known as Responsible Disclosure.

CVD policy guidelines

Organisations can prepare their own CVD policy using the guidelines. Examples include the way in which reporting parties can pass on vulnerabilities to the organisation, agreements about reporting, resolution deadlines and any reward to reporting parties.

The NCSC has received and processed several hundred reports since 2013. Many Dutch organisations actively operate a CVD policy. This fact illustrates the added value of a CVD process: digital resilience in the Netherlands increases because we help each other in this matter.