Coordinated Vulnerability Disclosure Policy

The Coordinated Vulnerability Disclosure Policy (CVD), designated as P39, establishes a structured and formal process for the receipt, handling, and public disclosure of vulnerabilities in the organization's network and information systems. This policy has been specifically developed to address gaps identified in previous policies regarding the reporting and coordination of externally detected vulnerabilities, ensuring proactive compliance with NIS2 Directive Article 21(2)(e) as well as alignment with international standards including ISO/IEC 29147 and Commission Implementing Regulation (EU) 2024/2690. The purpose of this policy is twofold: to facilitate timely detection and resolution of security vulnerabilities by leveraging both internal assessments and external input, and to create clear, secure pathways for external parties, such as security researchers, partners, and customers, to report vulnerabilities. Specifically, the policy mandates the establishment of a public-facing vulnerability reporting channel, typically a security contact email or encrypted web form published on the organization’s website, which supports safe and effective communication with reporters. This CVD policy details the duties and collaboration required between all involved parties: the Vulnerability Response Team (VRT), responsible for triaging and coordinating remediation and disclosure; IT and development teams, who validate and address technical aspects of vulnerabilities; communications professionals, who prepare advisories for stakeholders and the public; and the external reporters themselves, who must adhere to responsible disclosure guidelines. Importantly, the policy enshrines a 'safe harbor' principle: good-faith researchers who act according to policy rules are protected from legal actions, fostering a cooperative vulnerability management culture. The policy is explicit about service levels and controls: acknowledgments of reports are guaranteed within 2 business days, severity is triaged promptly, and critical vulnerabilities trigger accelerated mitigation and escalation to management. Disclosure timelines are stated (typically within 90 days or upon mutual agreement), and public advisories are coordinated to maximize security while crediting reporters who consent to be named. The confidentiality of submitted vulnerabilities and reporter identities is emphasized until coordinated public disclosure is agreed. Governance over the CVD program is strict. The policy is reviewed annually or after significant incidents, with requirements for continuous improvement based on post-mortem reviews. Metrics are tracked, logs maintained, and regular audits are mandated to ensure transparency and effectiveness in vulnerability handling according to the policy and relevant regulations. This policy is not tailored to SMEs (there is no SME notation such as 'S'), and presumes dedicated security, development, and communication functions for proper CVD operation, all meeting strict requirements for ISO/IEC 27001:2022 and sectoral directives like NIS2.