Outlines best practices for organizations to create their own CVD policy. It focuses on 5 broad areas: 1. Explaining the goal of a CVD 2. Defining the differing areas of responsibility for organizations and the party reporting a vulnerability 3. Proposing structures of a CVD within an organization, proposing terms for an individual, and proposing coordination with the NCSC 4. Clarifying the process for the communication of a vulnerability 5. Providing examples of existing CVDs

The Government will propose the necessary legislative changes and initiatives to make possible or deepen different approaches in order to improve cybersecurity by using the collective intelligence of security researchers, private companies active in the search for vulnerabilities and any users who discover a security breach. The possibility of creating, in the near future, a platform at GOVCERT.LU that encourages researchers to report bugs, especially those associated with vulnerabilities, will be analysed.

Provides a definition for what constitutes the legitimate disclosure of a vulnerability by a private person; it also determines the following restrictions: 1. The operation, functionality, services and data availability or integrity of the communication and information system may not be disrupted or altered. 2. When a vulnerability is identified, the search activity is terminated. 3. Within 24 hours of the start of the search activity, information on search results must be submitted to the NCSC under the Ministry of National Defence or CSE. 4. It is not unnecessarily sought to validate, monitor, record, intercept, acquire, store, disclose, copy, modify, corrupt, delete, destroy data managed by a cybersecurity entity. 5. No attempts are made to guess passwords. Passwords obtained illegally are not used and employees of the CSE or other persons who have the right to use non-public information relevant to the search for loopholes are not exploited or manipulated in order to obtain the information. 6. Information about the detected vulnerability is shared only with the NCSC under the Ministry of National Defence or CSE and made public according to the amendment. 

The newly created National Cybersecurity Centre will oversee - with the assistance of the Constitution Protection Bureau - the voluntary implementation of a coordinated vulenrabilty disclosure process within institutions in line with NIS2.

Creates a safe harbor for vulnerability reporters if they are acting in good faith, and if they report it to ANSSI exclusively.

8.1.8 Responding responsibly to vulnerabilities – promoting coordinated vulnerability Our aim is for the Federal Government to develop a framework to ensure that those reporting bugs have legal certainty if they approach companies to inform them that they have become aware of vulnerabilities, with a view to fostering proactive vulnerability governance. There will be reliable points of contact for them to report their findings. These can take the form of internal contact points which companies themselves are obligated to set up, or the BSI as a public liaison office. The legislator will obligate the companies affected to provide points of contact and processes to enable them to fix reported vulnerabilities in a suitable time frame. The extent to which the rights and duties are set out on both sides of the CVD process will be examined. These rights and duties could include a holdback period before making vulnerabilities public or a binding deadline for patches or updates. A coordinated process will be put in place between the BSI and manufacturers which extends beyond the simple exchange of information. This will also apply to vulnerabilities in the IT supply chains of products and services (supply chain security).

A pilot of a government CVD (Coordinated Vulnerability Disclosure) policy will be launched. A government CVD policy will describe the framework for government agencies to allow private individuals (“helpful hackers”) to identify and report vulnerabilities in ICT systems.

Czechia's NUKIB will "draft a national policy proposal for the coordinated disclosure of vulnerabilities" by Q4 2021.

Outlines the specific legal consequences of a CVD as they relate to Intrusion into an IT system; Manipulation of IT data; IT forgery and IT fraud; Crimes concerning the secrecy of communications; and Compliance with other legal provisions.