GFCE Global Good Practices: Coordinated Vulnerability Disclosure (CVD)

Publish Date: 21 November 2017

The unprecedented uptake of information and operational/industrial control system technologies (IT and OT/ICS) worldwide leads to a growing dependency of economic sectors, public institutions and societies. Vulnerabilities in software and hardware are abundant. When vulnerabilities are found by a third party, the challenge arises on how to report the vulnerability in a prudent way to those actors who can remove the vulnerability. Time is needed to fix the vulnerability before a wider audience gets informed.

Coordinated Vulnerability Disclosure (CVD) pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way. This Global Good Practice document helps to shape a concerted international approach and support establishment of national CVD policies. The emphasis of these good practices is on software manufacturers, vendors, and user organisations as they are key to a successful CVD policy. The government usually plays a facilitating role, for instance in diminishing legal challenges and promoting CVD. This document provides the necessary insight to political leadership, government policy-makers and other stakeholders to implement the most important elements of a CVD policy.