Coordinated Vulnerability Disclosure: the Guideline

The aim of Coordinated Vulnerability Disclosure (CVD) is to improve the security of IT systems by sharing knowledge about vulnerabilities. Owners of IT systems can then mitigate vulnerabilities before these will be actively abused by third parties. The guideline Coordinated Vulnerability Disclosure is a revision of the guideline Responsible Disclosure from 2013.


In this revised guideline there is additional attention for the human factor of successful CVD-policy and for the importance of good mutual communication. With the help of this guideline organisations can create their own CVD-policy. For example how reporters can submit vulnerabilities to the organisation, agreements about messaging, mitigation terms and possible rewards for the reporter.

Since 2013 the NCSC has received and processed hundreds of reports. Many Dutch organisations actively pursue a CVD policy. This illustrates the added value of a CVD-process to improve the digital resilience of the Netherlands.