Vulnerability Disclosure

By setting rules for identifying, fixing, mitigating, and reporting new vulnerabilities before they are exploited, CVD is crucial for protecting users and strengthening cybersecurity in the EU.

Image
Image with CVD (Coordinated vulneImage with CVD (Coordinated vulnerability Disclosure) initials and icons describing the processrability Disclosure) initials and icons describing the process

Coordinated Vulnerability Disclosure

The digital world sees constantly the discovery of new vulnerabilities. These weaknesses can leave users exposed to attacks that steal data or disrupt critical systems. Coordinated Vulnerability Disclosure (CVD) is critical to protecting users. It tries to ensure that vulnerabilities are disclosed to the public after the responsible parties developed a fix, a patch or provide mitigation measures to limit the threat posed by the exploitation of a vulnerability.

In many cases CVD entails a multi-party approach, which aims at reducing the unwanted impact arising from vulnerability exploitation, by following agreed guidelines and common steps expected by the participating stakeholders. Different types of stakeholders may actively participate in the vulnerability disclosure process, including vulnerability researchers, coordinators, ICT providers and vendors.

ENISA’s activities in Coordinated Vulnerability Disclosure

Considering its criticality for strengthening the cybersecurity of the single market, ENISA developed a significant knowledge base on CVD. In its role as the secretariat of the EU CSIRTs network, ENISA supports CSIRTs designated as coordinators to cooperate within the network, in case a reported vulnerability is assessed to have a potential significant impact on entities in more than one Member State.

ENISA regularly published guidelines and studies to assist Member States in establishing CVD policies as well as handbooks, good practices guides, and gap analyses. These are updated in line with the evolving policy context, including the Cybersecurity Act (2019), the NIS2 Directive (2022), and the upcoming Cyber Resilience Act (2024).

In particular, the NIS2 Directive further emphasises the importance of CVD and reinforces ENISA's commitment to it. The NIS2 Directive mandates the involvement of the CSIRTs in the national coordinated vulnerability processes, and tasks ENISA with the development and maintenance of a European Vulnerability Database to enable all organisations and their suppliers to register and disclose, on a voluntary basis, vulnerabilities in their ICT products and services.

CSIRTs Network’s Coordinated Vulnerability Disclosure Policy

By supporting the EU CSIRTs in their coordination work, ENISA maintains a vulnerability registry service after becoming a CVE Numbering Authority (CNA) in January 2024. ENISA is a CNA for vulnerabilities in information technology (IT) products discovered by European Union Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure. Building upon the EU CSIRTs coordination work, ENISA is registered as a ‘Consortium’ organisation under the Partner List of the CVE Programme.

Find out more: