CRA
CVD
Conformité
Cybersécurité
Gestion des vulnérabilités
PSIRT
CVD: drafting and publishing a coordinated vulnerability disclosure policy
The coordinated vulnerability disclosure (CVD) policy is a public document that most connected product manufacturers have never produced, because before the CRA, nothing required it. From 11 September 2026, its absence constitutes a direct non-conformity finding. This article explains what a CVD policy must contain under CRA Annex I Part II and prEN 40000-1-3, how it differs from the internal vulnerability handling procedure, how to make it operational rather than decorative, and what the safe harbour clause implies legally.