{"id":17579,"date":"2022-08-16T16:38:42","date_gmt":"2022-08-16T14:38:42","guid":{"rendered":"https:\/\/duthler.nl\/services\/organising-accountability\/coordinated-vulnerability-disclosure-cvd\/"},"modified":"2026-02-05T10:22:44","modified_gmt":"2026-02-05T09:22:44","slug":"coordinated-vulnerability-disclosure-cvd","status":"publish","type":"page","link":"https:\/\/duthler.nl\/en\/services\/protecting-personal-data\/organising-accountability\/coordinated-vulnerability-disclosure-cvd\/","title":{"rendered":"Coordinated Vulnerability Disclosure (CVD)"},"content":{"rendered":"\n
<\/span>
\n
<\/div>\n\n\n\n

Need help organizing your Coordinated Vulnerability Disclosure (CVD) policy?<\/h2>\n\n\n\n

Cyber threats arise from vulnerabilities in the ICT infrastructure, applications and\/or in the organization of business activities. They can undermine the effective protection of company activities and of company and personal data. Ultimately, these vulnerabilities can threaten the continuity of business operations and even shut down a company. The causes of the vulnerabilities can lie in, for example, the complexity of the digital systems, the lack of \u201csecurity by design\u201d, incorrect implementation and\/or insufficient testing. The causes may also lie with chain partners who supply products, applications and services to the company. <\/p>\n\n\n\n

\n
\n

Sharing research results<\/strong><\/p>\n\n\n\n

A vulnerability can be noticed by an unknown researcher. If this researcher is in good faith, he will be happy to share the research results with the company. It is important to handle the researcher\/reporter and the report correctly to prevent the information from falling into unwanted hands before the company can resolve the vulnerability. <\/p>\n\n\n\n

With a Coordinated Vulnerability Disclosure (CVD) policy, a company can arrange that vulnerabilities identified outside the company are handled in a controlled manner (under your direction). The policy sets out frameworks for documenting and analyzing these vulnerabilities and quickly resolving them by taking appropriate measures. <\/p>\n<\/div>\n\n\n\n

\n

As a result, the consequences for business operations are limited. On the website, the company states in a CVD Policy how vulnerabilities can be reported and under what conditions.<\/p>\n\n\n\n

Embedding in your own organization<\/strong><\/p>\n\n\n\n

Before a company can go public with a CVD Statement, CVD must first be set up in its own organization. After all, promising a researcher to work according to agreements and then not fulfilling them can have the opposite effect, causing the researcher to take other paths to exploit the vulnerability.<\/p>\n<\/div>\n<\/div>\n\n\n\n

<\/div>\n<\/div><\/div>\n\n
<\/span>
\n
<\/div>\n\n\n\n

What is our approach?<\/h2>\n\n\n\n

A company has to make choices about how it wants to organize CVD. If there is little knowledge and\/or capacity available, it can be decided to outsource the process. You can also opt for partial outsourcing and supplementing your own knowledge through training.<\/p>\n\n\n\n

\n
\n

Support<\/h3>\n\n\n\n

We can support you with:<\/p>\n\n\n\n