Provides recommended procedures for the reporter of a vulnerability: # Report the vulnerability to the National Cyber Security Centre SK-CERT as soon as it is detected in order to minimize the risk of abuse by the attackers. # For confidentiality, it is recommended to encrypt the communication via PGP. # The vulnerability report must include a detailed description of the problem. Suggestion of the vulnerability solution is also possible. # It is recommended to include a detailed contact information in the report, along with the means of secure communication (e. g. PGP fingerprint). # SK-CERT may assist the reporter by taking further steps: * to assess a reported vulnerability from an expert viewpoint, * to register CVE number for vulnerability, * to identify entities concerned and their respective contacts (a manufacturer, national CSIRTs, affected users), * to contact entities concerned either with the reporter identity or with the reporter anonymity. # The reporter may specify a vulnerability removal period for the affected entity during which the vulnerability is not disclosed publicly. If the entity does not respond to the report and the deadline expires, the reporter may disclose the vulnerability publicly. It is a good practice to add vulnerability solution methods or mitigation to the vulnerability report. The default period is 30 to 90 days, depending on the nature of the vulnerability  Provides recommended procedures for the affected entities of a vulnerability: * a process of vulnerability reporting (within the process each reported issue should be assessed and not just limited to the vulnerabilities with higher severity), * a process of vulnerability prioritisation and management, * a process of vulnerability disclosure to the public. # The response to each report should be prompt and adequate to the reported vulnerability. # The vulnerability management process should be given a high priority and vulnerabilities should be fixed in the next update. # The vulnerability management process should also include identifying potential victims and the method of their notification. # If the vulnerability is to be disclosed to the public, the company will determine the date of disclosure and notify the reporter if the vulnerability was not detected by the company. After consulting the reporter, it will also choose an appropriate channel for vulnerability disclosure to the community and the public. # The company may reward the reporter for reporting the vulnerability. It may also "offer a reward" for finding vulnerabilities in its products. This procedure is recommended to increase the security of the company's products and services. # Vulnerability reporting should be seen as an opportunity to improve products and a chance to learn about the vulnerability earlier than its abuse causes damage to the user, operator or manufacturer of the product or service. Therefore, it is recommended to treat the reporter gratefully as a person who wants to help as a friendly co-worker. This, of course, does not preclude legal action if the reporter's actions are manifestly unethical or illegal.

Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources - The organization should have a formal process to receive the submission of vulnerabilities from internal or external sources (e.g.: internal tests, vulnerability reports, security researchers). Each submission should be analyzed, verified and follow the process for security incident handling, unless it is a false positive.

Outlines best practices for organizations to create their own CVD policy. It focuses on 5 broad areas: 1. Explaining the goal of a CVD 2. Defining the differing areas of responsibility for organizations and the party reporting a vulnerability 3. Proposing structures of a CVD within an organization, proposing terms for an individual, and proposing coordination with the NCSC 4. Clarifying the process for the communication of a vulnerability 5. Providing examples of existing CVDs

The Government will propose the necessary legislative changes and initiatives to make possible or deepen different approaches in order to improve cybersecurity by using the collective intelligence of security researchers, private companies active in the search for vulnerabilities and any users who discover a security breach. The possibility of creating, in the near future, a platform at GOVCERT.LU that encourages researchers to report bugs, especially those associated with vulnerabilities, will be analysed.

Provides a definition for what constitutes the legitimate disclosure of a vulnerability by a private person; it also determines the following restrictions: 1. The operation, functionality, services and data availability or integrity of the communication and information system may not be disrupted or altered. 2. When a vulnerability is identified, the search activity is terminated. 3. Within 24 hours of the start of the search activity, information on search results must be submitted to the NCSC under the Ministry of National Defence or CSE. 4. It is not unnecessarily sought to validate, monitor, record, intercept, acquire, store, disclose, copy, modify, corrupt, delete, destroy data managed by a cybersecurity entity. 5. No attempts are made to guess passwords. Passwords obtained illegally are not used and employees of the CSE or other persons who have the right to use non-public information relevant to the search for loopholes are not exploited or manipulated in order to obtain the information. 6. Information about the detected vulnerability is shared only with the NCSC under the Ministry of National Defence or CSE and made public according to the amendment. 

The newly created National Cybersecurity Centre will oversee - with the assistance of the Constitution Protection Bureau - the voluntary implementation of a coordinated vulenrabilty disclosure process within institutions in line with NIS2.

Creates a safe harbor for vulnerability reporters if they are acting in good faith, and if they report it to ANSSI exclusively.

8.1.8 Responding responsibly to vulnerabilities – promoting coordinated vulnerability Our aim is for the Federal Government to develop a framework to ensure that those reporting bugs have legal certainty if they approach companies to inform them that they have become aware of vulnerabilities, with a view to fostering proactive vulnerability governance. There will be reliable points of contact for them to report their findings. These can take the form of internal contact points which companies themselves are obligated to set up, or the BSI as a public liaison office. The legislator will obligate the companies affected to provide points of contact and processes to enable them to fix reported vulnerabilities in a suitable time frame. The extent to which the rights and duties are set out on both sides of the CVD process will be examined. These rights and duties could include a holdback period before making vulnerabilities public or a binding deadline for patches or updates. A coordinated process will be put in place between the BSI and manufacturers which extends beyond the simple exchange of information. This will also apply to vulnerabilities in the IT supply chains of products and services (supply chain security).