Coordinated Vulnerability Disclosure (CVD)
What is Coordinated Vulnerability Disclosure (CVD)?
Coordinated Vulnerability Disclosure (CVD)A process in which a vulnerability finder, the affected vendor, and sometimes a coordinator agree on a timeline before publicly disclosing security flaws.
Coordinated Vulnerability Disclosure (CVD), often called responsible disclosure, structures how researchers report flaws and how vendors respond. Typical steps are: private report to a security contact, acknowledgement and triage, agreement on a remediation timeline (often 60 to 90 days), patch release, then public advisory with a CVE identifier and credit to the researcher. National CERTs, CISA, and platforms such as HackerOne can act as neutral coordinators when communication is difficult. Compared with full disclosure, CVD reduces the time defenders are exposed while still motivating vendors to fix issues. Effective programs require a published security contact, a clear policy, safe-harbour language, and realistic SLAs.
● Examples
- 01
Reporting a flaw to a vendor via security.txt or a PSIRT mailbox, agreeing on a 90-day fix window.
- 02
Using CERT/CC or a national CSIRT as a coordinator for a multi-vendor vulnerability.
● Frequently asked questions
What is Coordinated Vulnerability Disclosure (CVD)?
A process in which a vulnerability finder, the affected vendor, and sometimes a coordinator agree on a timeline before publicly disclosing security flaws. It belongs to the Attacks & Threats category of cybersecurity.
What does Coordinated Vulnerability Disclosure (CVD) mean?
A process in which a vulnerability finder, the affected vendor, and sometimes a coordinator agree on a timeline before publicly disclosing security flaws.
How does Coordinated Vulnerability Disclosure (CVD) work?
Coordinated Vulnerability Disclosure (CVD), often called responsible disclosure, structures how researchers report flaws and how vendors respond. Typical steps are: private report to a security contact, acknowledgement and triage, agreement on a remediation timeline (often 60 to 90 days), patch release, then public advisory with a CVE identifier and credit to the researcher. National CERTs, CISA, and platforms such as HackerOne can act as neutral coordinators when communication is difficult. Compared with full disclosure, CVD reduces the time defenders are exposed while still motivating vendors to fix issues. Effective programs require a published security contact, a clear policy, safe-harbour language, and realistic SLAs.
How do you defend against Coordinated Vulnerability Disclosure (CVD)?
Defences for Coordinated Vulnerability Disclosure (CVD) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Coordinated Vulnerability Disclosure (CVD)?
Common alternative names include: CVD, Responsible disclosure.
● Related terms
- attacks№ 133
Bug Bounty Program
A formal initiative through which an organisation invites external researchers to report security vulnerabilities and pays rewards based on impact.
- vulnerabilities№ 1216
Vulnerability
A weakness in a system, application, or process that an attacker can exploit to violate confidentiality, integrity, or availability.
- vulnerabilities№ 259
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- defense-ops№ 802
Patch Management
The end-to-end process of identifying, testing, deploying, and verifying software updates that fix vulnerabilities or bugs.
- defense-ops№ 1217
Vulnerability Assessment
A systematic review of an environment to identify, classify, and prioritize security weaknesses, typically without active exploitation.
● See also
- № 1234White Hat Hacker
- № 451Grey Hat Hacker
- № 390Ethical Hacker