What's a security.txt file?

RFC 9116 defines a /.well-known/security.txt file at your domain root listing security contact, disclosure policy, and PGP keys. It is the easiest first step for receivable researcher reports.

When should we publish the advisory?

Coordinate with the reporter and any affected ISAOs. A common default is 90 days after report or upon patch availability, whichever comes first - but adjust by clinical risk.

All terms

CybersecurityConnected & Cyber-Physical DevicesCVD

Coordinated Vulnerability Disclosure

A documented process for receiving, triaging, and responsibly disclosing security vulnerabilities reported by external researchers.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Coordinated Vulnerability Disclosure (CVD) is the documented process by which a manufacturer accepts vulnerability reports from external researchers, validates and remediates the issues, and publishes advisories - coordinated to give operators time to deploy fixes before attackers exploit them. ISO/IEC 29147:2018 defines the disclosure process and ISO/IEC 30111:2019 defines the internal handling process. FDA, CISA, and ENISA all expect MedTech manufacturers to operate a CVD program.

What the regulation says

FDA's 2023 guidance and section 524B both require a CVD process: a public point of contact, a documented intake and triage workflow, a commitment to communicate with reporters, and a process for issuing advisories. The HSCC "Medical Device and Health IT Joint Security Plan" provides MedTech-specific CVD templates. ENISA's CVD policy and CISA's Binding Operational Directive 20-01 set parallel expectations for federal use cases.

What this means in practice

A working CVD program needs a published security.txt file or vendor security page, a monitored intake address (security@), an SLA-driven triage process, integration with CAPA, and a coordinated-release plan with affected customers and ISACs. Mature MedTech teams also offer Safe Harbor language so good-faith researchers aren't deterred by legal risk.

Common pitfalls

•No published intake channel - researchers default to public disclosure when they can't reach you.
•Treating CVD intake as a security-only problem; legal, comms, and clinical-affairs all need playbooks.
•Publishing advisories without a working VEX/SBOM bridge so operators know which devices need action.

Frequently asked questions

Not required. A bounty can attract more reports but adds program overhead. Most MedTech CVD programs start without a bounty and add one later if researcher engagement justifies it.

Cross-references

Used by

Things that build on this term.

Section 524B of the FD&C Act(524B)

Primary references

4 sources

Link health: 3 verified 1 bot-blocked· last checked 2026-05-09

ISO/IEC·2FDA·1IETF·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: CVD
Sources: 4
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

A documented process for receiving, triaging, and responsibly disclosing security vulnerabilities reported by external researchers.

·Mature MedTech teams also offer Safe Harbor language so good-faith researchers aren't deterred by legal risk.
·ISO/IEC 29147:2018 defines the disclosure process and ISO/IEC 30111:2019 defines the internal handling process.
·FDA, CISA, and ENISA all expect MedTech manufacturers to operate a CVD program.

Remember this

Watch out: No published intake channel - researchers default to public disclosure when they can't reach you.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.