Coordinated Vulnerability Disclosure Generator

FDA Section 524B requires a documented vulnerability disclosure process. Fill in the blanks; get a publish-ready policy aligned to ISO/IEC 29147 and CISA's CVD guidance.

Inputs become a publish-ready CVD policy and SLA timeline

• MilestoneTimeline infographic: acknowledgement → triage → fix → public disclosure SLAs.
• ISO/IEC 29147-structured policy text with your contact details and PGP fingerprint baked in.
• Copy-to-clipboard handoff for legal review and posting at /security or /.well-known/security.txt.
• Direct alignment notes for FDA §524B 'coordinated vulnerability disclosure process' requirement.

What teams usually get wrong

• Myth: A security@ inbox is enough to satisfy FDA's CVD requirement.

  Reality: §524B requires a documented process: intake, triage SLAs, coordination with reporters, and a public-facing policy. An inbox without a policy is a deficiency.

• Myth: We can wait until a researcher reports something to publish a policy.

  Reality: FDA explicitly looks for the published CVD policy in the premarket submission. No policy → an AI letter on day 60.

• Myth: Bug bounty = CVD program.

  Reality: Bounties pay for findings; CVD governs how findings are handled, disclosed, and reported to FDA. You can have CVD without a bounty, but not the other way around.

• Myth: Safe-harbor language is boilerplate.

  Reality: It's the single most-cited reason researchers will or won't report. Generic legalese chills disclosure; ISO 29147-aligned safe-harbor language unlocks it.

Primary sources behind this tool

1. ISO/IEC 29147:2018 - Vulnerability disclosure - ISO/IEC
2. ISO/IEC 30111:2019 - Vulnerability handling processes - ISO/IEC
3. CISA Coordinated Vulnerability Disclosure Process - CISA
4. FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 2016) - FDA
5. security.txt - RFC 9116 - IETF

From policy to running program.