Switzerland’s National Cyber Security Centre (NCSC) established a national Coordinated Vulnerability Disclosure (CVD) framework in December 2022. The framework outlines non-binding but formalized procedures for the intake, triage, and remediation of reported security vulnerabilities. It provides safe harbor protections for good-faith researchers, supports anonymous submissions, and requires initial triage within five business days and remediation within sixty days. The NCSC also acts as a CVE Numbering Authority (CNA) for relevant cases. While participation is voluntary and the framework does not include financial incentives, it encourages the publication of vulnerability disclosure points of contact and fosters alignment with recognized CVD best practices. The framework remains active beyond the duration of the 2022–2025 “Promotion of Ethical Hacking” initiative and reflects Switzerland’s national commitment to structured vulnerability handling and disclosure.
Jurisdiction
Region
Requirement
Policy
NCSC Coordinated Vulnerability Disclosure (CVD) Framework
Applies to
All digital infrastructures and ICT services within Switzerland’s jurisdiction, including systems operated by the Federal Administration and private sector entities whose vulnerabilities could impact national digital security. Participation is open to security researchers acting in good faith.
Provision
NCSC Coordinated Vulnerability Disclosure (CVD) Framework
Description
Date
December 2022
Organization
National Cyber Security Centre (NCSC), under the Federal Department of Defence, Civil Protection and Sport (DDPS); transitioning to the Federal Office for Cybersecurity (BACS) as of 2024
Jurisdiction
Region
Requirement
Policy
ENISA Technical Implementation Guide for NIS2 Directive (Version 1.0)
Applies to
Essential and important entities subject to the Implementing Regulation (EU) 2024/2690, including DNS service providers, top-level domain registries, cloud computing and datacenter providers, content delivery networks, managed service and security service providers, online marketplaces, search engines, social networking platforms, and trust service providers.
Provision
Section 6.4.2 – Vulnerability handling and disclosure
Description
Section 6.4.2 of the ENISA Technical Implementation Guide for NIS2 (v1.0, June 2025) provides non-binding technical guidance on the implementation of Article 21(2)(f) of Directive (EU) 2022/2555 and Annex I, Section 6 of the Implementing Regulation (EU) 2024/2690. It emphasizes the establishment of formal vulnerability handling and disclosure processes, including the adoption of public Vulnerability Disclosure Policies (VDPs) and support for Coordinated Vulnerability Disclosure (CVD). The guidance outlines good practices such as the publication of VDPs on organizational websites, clear communication channels for external reporters, defined response timelines, and alignment with international standards (e.g., ISO/IEC 29147, ISO/IEC 30111). It also includes practical implementation steps and evidence examples for demonstrating conformity during supervision by competent authorities.
Date
June 26, 2025
Organization
European Union Agency for Cybersecurity (ENISA)
Jurisdiction
Region
Requirement
Policy
Decision No. 1202 - OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies
Applies to
OSCE Member States
Provision
CBM 16
Description
Participating States will, on a voluntary basis, encourage responsible reporting of vulnerabilities affecting the security of and in the use of ICTs and share associated information on available remedies to such vulnerabilities, including with relevant segments of the ICT business and industry, with the goal of increasing co-operation and transparency within the OSCE region. OSCE participating States agree that such information exchange, when occurring between States, should use appropriately authorized and protected communication channels, including the contact points designated in line with CBM 8 of Permanent Council Decision No. 1106, with a view to avoiding duplication.
Date
March 2016
Organization
Organization for Security and Co-operation in Europe (OSCE)
Jurisdiction
Region
Requirement
Policy
ETSI 303 645
Applies to
Manufacturers
Provision
Provision 5.2-1
Description
The manufacturer shall make a vulnerability disclosure policy publicly available. This policy shall include, at a minimum:
• contact information for the reporting of issues; and
• information on timelines for: 1) initial acknowledgement of receipt; and 2) status updates until the resolution of the reported issues.
Date
June 2020
Organization
ETSI - European Telecommunications Standards Institute
Jurisdiction
Region
Requirement
Policy
ESTI TR 103 838, Cyber Security; Guide to Coordinated Vulnerability Disclosure
Applies to
Companies and organizations
Provision
N/A
Description
Provides guidance regarding the "essential steps" companies should take when deciding to implement a VDP. ESTI explicitly states that the document is not intended to a 'comprehensive' guide.
Date
January 2022
Organization
ETSI - European Telecommunications Standards Institute
Jurisdiction
Region
Requirement
Policy
Code of Practice for Software Vendors
Applies to
Software developers, distributors, and resellers
Provision
Principle 3.2
Description
3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process to support a transparent and open culture within the organisation. Associated technical control: Implement a vulnerability disclosure policy. (The organisation publishes a vulnerability disclosure policy which provides a public point of contact in order that security researchers and others are able to report issues. Disclosed vulnerabilities are then reported to relevant parties (outlined in the implementation guidance) and acted on in a timely manner.)
Date
TBD
Organization
Department of Science, Innovation, & Technology
Jurisdiction
Region
Requirement
Policy
Cyber Security of AI
Applies to
Developers and System Operators
Provision
Principle 6.3, Principle 11.2
Description
6.3 Developers and System Operators shall implement and publish an effective vulnerability disclosure process to support a transparent and open culture within the organisation. 11.2 Developers shall provide security updates and patches, where possible, and notify System Operators and End-users of the security updates. 11.2.1 In instances where updates can’t be provided, Developers shall have mechanisms for escalating issues to the wider community, particularly customers and other Developers. To help deliver this, they could publish bulletins responding to vulnerability disclosures, including detailed and complete common vulnerability enumeration.
Date
TBD
Organization
Department of Science, Innovation, & Technology
Jurisdiction
Region
Requirement
Policy
Code of Practice for consumer IoT security
Applies to
Device manufacturers, IoT service providers, mobile application developers, retailers
Provision
Guideline 2
Description
2. Implement a vulnerability disclosure policy All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.
Date
October 14, 2018
Organization
Department of Science, Innovation, & Technology
Jurisdiction
Region
Requirement
Policy
Vulnerability Disclosure Policy / Coordinated Vulnerability Disclosure Policy
Applies to
Reporters of vulnerabilities / good faith security researchers
Provision
N/A
Description
INCIBE-CERT has an established CVD (Coordinated Vulnerability Disclosure) policy that supports those who wish to provide information on vulnerabilities detected, both in INCIBE-CERT's own systems and in the systems of third parties, citizens and private entities in Spain. For this reason, INCIBE-CERT provides support to those people who wish to provide information on vulnerabilities they have detected, and acts by anonymising the informant's data, unless the informant expressly indicates otherwise (at any time during the vulnerability management) or a judge so requires.
Date
N/A
Organization
Instituto Nacional de Ciberseguridad (INCIBE) - CERT