# Vulnerability Disclosure Policy **[Your Company Name]** **Effective Date:** [Date] **Version:** 1.0 --- ## 1. Introduction [Your Company Name] is committed to the security of our products and the safety of our customers. We welcome and encourage security researchers and the broader community to report vulnerabilities they discover in our products. This policy describes how to report vulnerabilities, what to expect from us, and what we ask of you. This policy is published in compliance with the EU Cyber Resilience Act (Regulation EU 2024/2847), Annex I, Part II, Section 5. ## 2. Scope This policy applies to all products manufactured and distributed by [Your Company Name], including: - [Product Name 1] (firmware and associated software) - [Product Name 2] - [Add additional products] Out of scope: - Third-party services or software not developed by [Your Company Name] - Social engineering attacks against employees or contractors - Physical attacks against our offices or data centers ## 3. How to Report a Vulnerability Please report vulnerabilities to: - **Email:** security@[yourcompany].com - **PGP Key:** [Link to PGP key or fingerprint] - **Web Form:** [URL if applicable] - **security.txt:** https://[yourcompany].com/.well-known/security.txt When reporting, please include: 1. **Product and version** affected 2. **Description** of the vulnerability 3. **Steps to reproduce** (proof of concept if possible) 4. **Impact assessment** — what an attacker could achieve 5. **Your contact information** for follow-up Please encrypt sensitive reports using our PGP key. ## 4. What to Expect | Step | Timeline | |------|----------| | Acknowledgment of your report | Within **2 business days** | | Initial assessment and triage | Within **5 business days** | | Status update on remediation | Within **15 business days** | | Security update released | Within **90 days** (critical: 30 days) | | Public disclosure | Coordinated, after patch availability | We will keep you informed of our progress and notify you when the issue has been resolved. ## 5. Safe Harbor We consider security research conducted in accordance with this policy to be: - **Authorized** under applicable anti-hacking laws - **Exempt** from restrictions in our Terms of Service that would interfere with security research - **Lawful**, helpful to the security of our products, and conducted in good faith We will not pursue legal action against researchers who: - Follow this disclosure policy - Make good-faith efforts to avoid privacy violations, data destruction, and service disruption - Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue - Do not publicly disclose vulnerability details before a fix is available ## 6. Our Commitments - We will respond to your report promptly - We will work with you to understand and validate the issue - We will address confirmed vulnerabilities in a timely manner - We will credit you publicly (unless you prefer anonymity) when we disclose fixed vulnerabilities - We will report actively exploited vulnerabilities to ENISA/relevant CSIRTs within 24 hours as required by CRA Article 14 ## 7. Public Disclosure After a vulnerability has been remediated and a security update is available: - We will publish a security advisory describing the vulnerability and the fix - We will request a CVE ID for confirmed vulnerabilities - We will coordinate the public disclosure timeline with the reporter - We aim for public disclosure within **14 days** of patch availability ## 8. Recognition We maintain a [Security Hall of Fame / Acknowledgments page] at [URL] to recognize researchers who have contributed to the security of our products. ## 9. Contact For questions about this policy, contact security@[yourcompany].com. --- *This template is provided by Stack Canary (stack-canary.com) as a starting point. Adapt it to your organization's specific products, processes, and legal requirements. This does not constitute legal advice.*