Switzerland’s National Cyber Security Centre (NCSC) established a national Coordinated Vulnerability Disclosure (CVD) framework in December 2022. The framework outlines non-binding but formalized procedures for the intake, triage, and remediation of reported security vulnerabilities. It provides safe harbor protections for good-faith researchers, supports anonymous submissions, and requires initial triage within five business days and remediation within sixty days. The NCSC also acts as a CVE Numbering Authority (CNA) for relevant cases. While participation is voluntary and the framework does not include financial incentives, it encourages the publication of vulnerability disclosure points of contact and fosters alignment with recognized CVD best practices. The framework remains active beyond the duration of the 2022–2025 “Promotion of Ethical Hacking” initiative and reflects Switzerland’s national commitment to structured vulnerability handling and disclosure.
Jurisdiction
Region
Requirement
Policy
NCSC Coordinated Vulnerability Disclosure (CVD) Framework
Applies to
All digital infrastructures and ICT services within Switzerland’s jurisdiction, including systems operated by the Federal Administration and private sector entities whose vulnerabilities could impact national digital security. Participation is open to security researchers acting in good faith.
Provision
NCSC Coordinated Vulnerability Disclosure (CVD) Framework
Description
Date
December 2022
Organization
National Cyber Security Centre (NCSC), under the Federal Department of Defence, Civil Protection and Sport (DDPS); transitioning to the Federal Office for Cybersecurity (BACS) as of 2024