CVD

Coordinated Vulnerability Disclosure

External security researchers report vulnerabilities — whether you are prepared or not. TrustSource CVD gives you the structured process, the tooling and, if needed, the backup support that proper coordination demands.

Take the easy path — get in touch →

At a Glance

Structured Intake

Dedicated intake at YOURDOMAIN.cvd.trustsource.io — discoverable by security researchers via security.txt and fully CRA-compliant.

Vultron Process Model

Automated CVD workflow based on the CERT/CC Vultron standard — clear states, clear responsibilities, no manual coordination overhead.

Audit Trail

Every step in the CVD process is logged — from initial report to coordinated disclosure. Audit-ready at any time.

Team Coordination

Assignment, status tracking and internal communication directly in TrustSource — no searching across ticket systems, no assignment gaps.

Coordinated Disclosure

Embargo management and scheduled advisory publication — agreed with the reporter, automated via CSAF.

EACG PSIRT Backup

No PSIRT of your own? No problem. The EACG PSIRT team steps in as external support when you need it most.

The Challenge

Coordinated Vulnerability Disclosure (CVD) is the process by which security researchers responsibly report discovered vulnerabilities to the vendor — before they become public knowledge. The idea is straightforward: give the vendor time to fix the problem before attackers find out about it.

In practice, CVD is complex. An incoming report must be assessed, prioritised and assigned internally. The reporter expects feedback. Embargo deadlines must be met. An advisory must be drafted, coordinated and published at exactly the right time. Without a structured process, communication gaps appear, deadlines are missed, and in the worst case the reporter publishes the vulnerability unilaterally — before a patch is ready.

The CRA makes CVD mandatory: manufacturers of products with digital elements must provide an accessible channel for vulnerability reports and coordinate incoming reports in a traceable way.

TrustSource CVD — the solution

TrustSource based its CVD automation on the Carnegie Mellon CERT/CC process model. The underlying framework — Vultron — describes CVD as three parallel state machines: Report Management, Embargo Management and Coordinated Disclosure. TrustSource maps this process completely and automates every step that can be automated.

Overview of the TrustSource CVD main process based on the Vultron model — The TrustSource CVD main process — based on the CERT/CC Vultron model

A structured CVD process delivers 3 benefits:

Playbook and clear responsibilities
Everyone on the team knows what to do and when. Roles are defined, escalation paths are established — before an incident occurs, not during one.
No search or assignment gaps under pressure
Incoming reports are captured, assigned and tracked immediately. No reports getting lost in email inboxes, no manual follow-up chasing.
EACG PSIRT team as backup
No PSIRT of your own? You can call on the EACG PSIRT team when it matters — experienced coordinators who know the process and can act immediately.

4 steps to active CVD

Choose TrustSource CVD

Select the product and activate your plan.

Identify resources & complete online training

Assemble your team and get up to speed via the TrustSource Academy.

Define security.txt & policy with an EACG consultant

Publish your disclosure channel and define your policy — together with an EACG consultant who knows the process.

Set up YOURDOMAIN.cvd.trustsource.io

Activate your dedicated CVD platform — done. The process runs from here.

Ready to get started?

Book a call with our team now.