Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Coordinated vulnerability disclosure policy

vulnerability-disclosure-policyDomain: cybersecurityType: process

Description

A published, free, and easy-to-find way for security researchers and the public to report a vulnerability in a product, plus the internal process that receives, triages, and remediates those reports. The product-security regimes that have landed in 2024-2027 treat the disclosure channel as a standalone obligation rather than as a nice-to-have: the UK PSTI regime requires manufacturers of connectable consumer products to publish at least one contact point for security reports along with information on acknowledgement and status updates, and the EU Cyber Resilience Act requires manufacturers of products with digital elements to operate a coordinated vulnerability handling process across the support period. The practical shape of the control is a security.txt file or a /security page naming a monitored contact, an intake queue that does not require the reporter to hand over personal data, an internal SLA for acknowledgement and triage, and a record of how each report was resolved. The common failure is treating the contact address as the whole obligation; regulators reading the statute want to see that reports are actually acknowledged and acted on, not that an inbox exists.

Required by (2 regulations)

  • EU CRA

    Manufacturers must operate a coordinated vulnerability handling and disclosure process for products with digital elements, including a contact address for reporting vulnerabilities, throughout the support period (Article 13 and Annex I Part II).

    Regulation (EU) 2024/2847 (Cyber Resilience Act), Article 13 and Annex I Part II; main obligations apply 2027-12-11

    Source →

  • UK PSTI

    Manufacturers of relevant connectable products must publish information on how to report security issues, including at least one point of contact, and information about expected acknowledgement and status updates, provided free of charge.

    The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (SI 2023/1007), Schedule 1; in force 2024-04-29

    Source →

Evidence formats

  • published vulnerability disclosure policy page or security.txt file naming a monitored contact
  • internal triage runbook with acknowledgement and remediation SLAs
  • log of received reports with resolution status
  • coordinated-disclosure timeline records for remediated vulnerabilities

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn