Playbook · Postmarket & CVD

Postmarket Vulnerability Disclosure & CVD Program Blueprint

A turn-key blueprint for standing up an FDA-aligned Coordinated Vulnerability Disclosure program: policy, intake, triage SLAs, advisories, and reviewer-ready evidence.

All playbooks

Updated May 2026 6 pages 14-min read Download PDF

Why this matters

The FDA's 2026 final premarket guidance requires a credible postmarket cybersecurity plan in the submission itself - including a Coordinated Vulnerability Disclosure (CVD) policy, monitoring approach, and patch cadence. Section 524B(b)(1) of the FD&C Act makes a 'plan to monitor, identify, and address postmarket cybersecurity vulnerabilities' a statutory submission requirement. This blueprint gives you the policy, the operating model, and the evidence reviewers and researchers expect.

Key takeaway: A CVD program is not a security.txt file. Reviewers, researchers, and hospital customers all want to see a policy, a working intake, real triage SLAs, and a track record of advisories - not just an email address.

The standards your program must align to

ISO/IEC 29147:2018 - Vulnerability disclosure (the external-facing process)
ISO/IEC 30111:2019 - Vulnerability handling processes (the internal triage process)
FDA 2026 final premarket guidance - postmarket plan content
Section 524B(b)(1) of the FD&C Act - statutory disclosure plan requirement
CISA Coordinated Vulnerability Disclosure Process - coordination with ICS-MEDICAL advisories

The eight pillars of a working CVD program

Public VDP policy page (scope, safe harbor, channels, SLA commitments)
Multiple intake channels (web form, security@, PGP key, optional bug bounty)
Internal triage workflow tied to your QMS / CAPA system
CVSS + clinical-impact scoring rubric (mapped to ISO 14971)
Patch / mitigation development with V&V evidence
Customer advisory + MDS2 update + CISA coordination
Public CVE assignment via CNA (or via MITRE root)
KPIs and continuous improvement loop

Triage SLAs reviewers expect

Acknowledge intake within 3 business days
Initial triage + reproduction within 10 business days
Critical (CVSS 9.0+ or patient-safety impact): mitigation in 30 days, patch in 60
High (CVSS 7.0–8.9): patch in 90 days
Medium / Low: bundled into next scheduled release with disclosure within 180 days

What's in the full PDF

Drop-in CVD policy template with safe-harbor language
Intake → triage → advisory workflow diagram
CVSS + clinical-impact scoring rubric
Customer advisory and CISA ICS-MEDICAL coordination templates
Reviewer-ready evidence pack checklist + KPI dashboard

Want the full 6-page playbook?

Includes every checklist, table, and template - formatted for printing and sharing.

Download PDF

What's inside

FDA-aligned CVD policy structure (ISO/IEC 29147 + 30111)
Intake channels, PGP, safe harbor language
Triage SLAs by CVSS + clinical impact
Advisory + MDS2 + CISA ICS-MEDICAL coordination
Reviewer-ready evidence pack and KPIs

Get the next playbook

Subscribe to The Monthly Pulse for new playbooks, FDA updates, and field notes.

Other playbooks

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.

Book strategy session Explore services