Vulnerability Disclosure

By setting rules for identifying, fixing, mitigating, and reporting new vulnerabilities before they are exploited, CVD is crucial for protecting users and strengthening cybersecurity in the EU.

Image with CVD (Coordinated vulneImage with CVD (Coordinated vulnerability Disclosure) initials and icons describing the processrability Disclosure) initials and icons describing the process

Coordinated Vulnerability Disclosure 

The digital world sees new vulnerabilities being discovered every day. These weaknesses can leave users exposed to attacks designed to steal data or to disrupt critical systems. Coordinated Vulnerability Disclosure (CVD) is critical to protecting users. This mechanism ensures that vulnerabilities are disclosed to the public after the responsible parties developed a fix, a patch or provide mitigation measures to limit the threat posed by the exploitation of a vulnerability.

In many cases CVD entails a multi-party approach. The objective of such approach is to limit the unwanted impact following the exploitation of a vulnerability. To achieve this objective, participating stakeholders will be expected to follow agreed guidelines and common steps. Different types of stakeholders may actively participate in the vulnerability disclosure process, including vulnerability researchers, coordinators, ICT providers and vendors.

ENISA’s activities in Coordinated Vulnerability Disclosure

Considering its criticality for strengthening the cybersecurity of the single market, ENISA developed a significant knowledge base on CVD. As the secretariat of the EU CSIRTs network, ENISA supports CSIRTs designated as coordinators to cooperate within the network, in case a reported vulnerability is assessed to have a potentially significant impact on entities in more than one Member State.

ENISA regularly publishes guidelines and studies to assist Member States in establishing CVD policies as well as handbooks, good practices guides, and gap analyses. These are updated in line with the evolving policy context, including the Cybersecurity Act (2019), the NIS2 Directive (2022), and the Cyber Resilience Act (2024) which entered into force on 10 December 2024. Products will bear the CE marking to indicate that they comply with the regulation's requirements. The main obligations of the CRA will apply from 11 December 2027.

In particular, the NIS2 Directive further underlines the importance of CVD and reinforces ENISA's role. The NIS2 Directive mandates the involvement of the CSIRTs in the national coordinated vulnerability processes, and tasks ENISA with the development and maintenance of a European Vulnerability Database to enable all organisations and their suppliers to register and disclose, on a voluntary basis, vulnerabilities in their ICT products and services.

CSIRTs Network’s Coordinated Vulnerability Disclosure Policy

By supporting the EU CSIRTs in their coordination work, ENISA has been maintaining a vulnerability registry service since becoming a CVE Numbering Authority (CNA) in January 2024. ENISA is a CNA for vulnerabilities in information technology (IT) products discovered by European Union Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure. Building upon the EU CSIRTs coordination work, ENISA is registered as a ‘Consortium’ organisation under the Partner List of the CVE Programme.

Find out more: 

Related content

Developing National Vulnerabilities Programmes

Based on the experiences and perspectives gathered from industry players and national governments, as well as on the documentation developed by multiple actors involved with national vulnerability initiatives and programmes, the EU Coordinated Vulnerabili

State of Vulnerabilities 2018/2019 - Analysis of Events in the life of Vulnerabilities

The purpose of this report is to provide an insight on both the opportunities and limitations the vulnerability ecosystem offers.

Economics of Vulnerability Disclosure

Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited.

Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations

Vulnerabilities are ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.

BROWSE ALL PUBLICATIONS

Another step forward towards responsible vulnerability disclosure in Europe

News Item

The EU Agency for Cybersecurity (ENISA) expands its support to EU CSIRTs for Coordinated Vulnerability Disclosure and is now authorised as a Common Vulnerabilities and Exposures (CVE) Numbering Authority.

BROWSE ALL NEWS