Guideline supports organisations with their CVD-policy

The aim of Coordinated Vulnerability Disclosure (CVD) is to improve the security of IT systems by sharing knowledge about vulnerabilities. Owners of IT systems can then mitigate vulnerabilities before these will be actively abused by third parties.

Today the NCSC publishes 'Coordinated Vulnerability Disclosure: The Guideline' during the One Conference. This is a revision of the guideline Responsible Disclosure from 2013.

In this revised guideline there is a special attention for the human factor in a successful CVD-policy and for the importance of clear mutual communication. With the help of this guideline organisations can create their own CVD-policy. For example how reporters can submit vulnerabilities to the organisation, how to make agreements about messaging, mitigation terms and possible rewards for the reporter.

Since 2013 the NCSC has received and processed hundreds of reports. Many Dutch organisations actively pursue a CVD-policy. This illustrates the added value of a CVD-process to improve the digital resilience of the Netherlands.