Maps to
QMSR / ISO 13485: §820.198
IEC 81001-5-1: §9
FDA Cybersecurity Guidance: §VI.B, VII.C.1
Requirement text
The manufacturer shall establish and publish a coordinated vulnerability disclosure (CVD) policy that provides a mechanism for security researchers, customers, and other third parties to report potential vulnerabilities. The policy must define how reports are received, acknowledged, investigated, and how the manufacturer coordinates with reporters through remediation and public disclosure.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Atomic constraints
- •A coordinated vulnerability disclosure policy must be published and publicly accessible (e.g., on the company website).
- •The policy must provide a secure channel for submitting vulnerability reports (e.g., encrypted email, web form, security.txt).
- •Acknowledgment timelines must be defined (e.g., initial response within 48 hours of report receipt).
- •The policy must define the coordination process with the reporter through investigation, remediation, and disclosure.
- •The policy must commit to not pursuing legal action against good-faith security researchers.
- •The disclosure timeline and process must be defined (e.g., 90-day coordinated disclosure window).
- •The CVD policy must be operational before device market clearance or market release, not just drafted as a submission document — the intake channel must be live and monitored.
- •The policy must define the manufacturer's commitment to ongoing communication with the reporter throughout the investigation period, including status updates when the investigation extends beyond the initial acknowledgment.
- •The policy must define the manufacturer's coordination process with the reporter prior to any public disclosure, including the mutual agreement on disclosure timing and content where feasible.
- •Internal procedures implementing the CVD policy must assign named roles for receiving reports, performing initial triage, conducting technical investigation, managing reporter communication, and making disclosure decisions.
- •Records of each vulnerability report received under the CVD process must be maintained, including receipt date, reporter identity (if provided), investigation status, remediation actions taken, and disclosure outcome.
Common gaps
CVD policy not published or operational before clearance
majorFDA expects an operational CVD policy (published, with working intake channels) before market clearance. Most manufacturers create the policy document for submission but do not actually publish it, set up secure reporting channels, or establish internal triage procedures until after clearance — if at all.
Evidence signals
- •
FILE_EXISTS
Vulnerability.*Disclosure|CVD.*Policy|Disclosure.*Policy|Security.*Policy|security\.txt
- •
CONTENT_MATCH
Does this document define a coordinated vulnerability disclosure policy with a secure reporting channel, acknowledgment timelines, coordination process with reporters, safe harbor for good-faith researchers, and a defined disclosure timeline?
Audit defense
The Coordinated Vulnerability Disclosure Policy for [your product] (Doc ID: [your document ID]) is published on our website per FDA Premarket Cybersecurity Guidance, providing a secure reporting channel, 48-hour acknowledgment commitment, coordination process, and safe harbor for good-faith security researchers.