MMPlugs Logo

Docs / MMCRA Toolkit / Publish a Vulnerability Disclosure Policy

Publish a Vulnerability Disclosure Policy

Publish a Vulnerability Disclosure Policy

The CRA's Article 13 requires a Vulnerability Disclosure Policy (VDP) — a published, machine-discoverable channel for researchers to report security issues. MM CRA Toolkit drafts a complete VDP following ISO/IEC 29147 conventions and publishes it as a WordPress page or exports it as standalone HTML.

Configure the policy

Go to CRA Toolkit → Vulnerability Disclosure. The form has these fields:

Reporting channel

  • Primary email — where reports come in (use a security alias, e.g. security@yourcompany.com)
  • Web form URL — optional, if you prefer a structured intake form
  • PGP key — optional ASCII-armored public key for encrypted reports. The toolkit accepts the armored block as-is and preserves embedded <email> markers, comments, and signatures

Response SLA

The convention is:

  • First acknowledgment within 72 hours
  • Initial triage within 7 days
  • Resolution or status update within 90 days

You can adjust the numbers, but don't promise faster than you can deliver. CRA Article 14 makes published SLAs enforceable.

Scope

  • In-scope products — list the plugins covered by this policy (one per line)
  • Out-of-scope items — what researchers should NOT submit. Common entries: social engineering attacks, physical security, third-party services hosted off your infrastructure, denial-of-service tests

The form provides hint text with examples for both fields.

Safe harbor

Standard CVD safe-harbor language explaining what researchers can and cannot do without legal risk. Pre-populated; edit if your legal counsel wants different language.

Recognition

Whether you publish a hall of fame, offer bounties, or just send a thank-you email. Honest answers serve you better than aspirational ones — researchers learn fast which programs follow through.

Publish or export

Two ways to surface the VDP:

  1. Publish as WordPress page — creates (or updates) a page at /.well-known/security.txt aligned URL like /security/ or /vulnerability-disclosure/. The HTML form output is what visitors see.
  1. Export as HTML — downloads a standalone .html file. Drop on your marketing site at the same URL.

Either way, the URL needs to be discoverable. Add a Contact line to /.well-known/security.txt pointing at it, per RFC 9116.

Saved per VDP record

The toolkit stores one VDP per site (not per plugin). All plugins shipped from this WordPress install share the same policy. Edit and republish at any time — the audit log records each save with the SHA-256 hash of the rendered HTML.

What the toolkit doesn't do

  • It doesn't host an intake form. If you want one, build a Contact Form 7 / Gravity Forms page and link it from the VDP.
  • It doesn't manage incoming reports. Use Gmail labels, Linear, or a dedicated VDM tool.
  • It doesn't generate security.txt automatically — but you should add one. The toolkit's VDP URL is the Contact: field.