EUCC Guidelines on Vulnerability Management and Disclosure and ECCG opinion

This guidelines document supporting the EUCC scheme provides guidance for the holder of the EUCC certificate and the IT Security Evaluation Facilities (ITSEF) on how to apply the rules related to vulnerability handling and disclosure of the Implementing Regulation (EU) 2024/482 establishing the EUCC scheme. It also includes guidance for the CB (certification body), for the NCCAs (National Cybersecurity Certification Authority) and the CSIRT (Computer Security Incident Response Team) designated in the Member State as coordinator for the purposes of coordinated vulnerability disclosure process. 

This document is intended to be updated to further cover the specific case of composite evaluations, as well as to take benefit of other schemes established under the CSA, and to ensure consistency with applicable EU legislation, in particular the Cyber Resilience Act.