security-testing | ethical-hacking | news

ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement

ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.

Balazs PoznerJanuary 26, 2026 · 5 min read · Last Updated:

ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure as a distinct control area (6.10), separate from security testing (6.5) and security patch management (6.6). The practical implication is that organizations should be able to evidence an end to end vulnerability handling process that includes external intake, internal triage, remediation linkage, and disclosure handling aligned to applicable national coordinated vulnerability disclosure policy.

A vulnerability disclosure policy (VDP) is not sufficient on its own. What matters is a VDP backed by an operating workflow with records that demonstrate 6.10 is implemented.

What ENISA separates in practice

For implementation purposes, three activities that are often blended in day to day security operations should be evidenced distinctly:

  • Security testing (6.5): planned assessments with defined scope, methodology and reporting.
  • Security patch management (6.6): remediation planning, patch deployment and operational confirmation of fixes.
  • Vulnerability handling and disclosure (6.10): obtaining vulnerability information, assessing exposure, addressing critical vulnerabilities without undue delay, integrating handling with other management processes and maintaining a disclosure procedure aligned to coordinated vulnerability disclosure policy.

The key point is not organizational structure. It is evidence. Assessors will look for control specific artefacts and records that demonstrate 6.10 is implemented, repeatable and used.

Minimum viable VDP that can be evidenced

A VDP that stands up to scrutiny is a policy plus a workflow plus records. At minimum, the policy should define reporting channels, scope and safe harbor, triage targets, severity assessment, remediation and disclosure handling.

Public reporting channels

Provide a dedicated security contact and a stable reporting mechanism that remains valid over time. Make the reporting channel discoverable from the organization’s domain, commonly via /.well-known/security.txt, and offer an option for encrypted communication, such as a published PGP key.

Scope and safe harbor

Define which systems are in scope, which are excluded, and what testing behavior is allowed. State prohibited activities explicitly, including denial of service, social engineering, and physical intrusion. Include a good faith safe harbor statement.

Triage and response targets

Define measurable targets that you can meet and audit. For example, acknowledge receipt within 2 business days, provide an initial triage outcome within 7 business days, and define remediation targets by severity.

Severity and prioritization method

Use a consistent scoring approach (such as CVSS v3.1 or v4.0), and document what inputs drive the score in your environment.

Remediation linkage and verification

Every accepted report should map to an internal tracking ticket with an accountable owner, fix target and status. Closure should require verification evidence, such as retest notes, fixed version identifiers, and deployment confirmation, not only a developer comment stating “resolved.” If a report is closed as “won’t fix,” require a recorded rationale and approval.

Workflow design that prevents predictable failure modes

A disclosure workflow fails in repeatable ways. A workable design reduces noise, enforces reproducibility, assigns accountable ownership, and produces evidence that can survive assessment.

Filtering should remove reports that cannot be actioned. Define reject criteria for out of scope targets, missing reproduction steps, unclear impact, and non actionable scanner output. Deduplication should be based on root cause and exploit path, not URL variations, and should preserve credit attribution when multiple reporters converge on the same issue.

Route every accepted report through a tracked system, not email forwarding. Require structured fields that allow audits and reporting, including asset and environment, severity and rationale, accountable owner, due date, fix version, deployment evidence, and a disclosure status log. Avoid “shared inbox only” ownership models, because they produce gaps when staffing changes and make SLAs non verifiable.

Self managed VDP risks and controls

A self managed VDP can work, but only if it is resourced, measurable and enforced. Common failure modes and controls include:

  • High noise volume: enforce submission requirements, reject non reproducible reports, and implement deduplication based on root cause.
  • Inconsistent triage decisions: publish acceptance criteria and apply a standard reproduction and severity checklist.
  • Misrouting and delays: require a single owned intake channel, tracked case management, and named owners.
  • Communication gaps: use templated acknowledgements, scheduled status updates and defined escalation triggers.
  • Evidence gaps: retain timestamps, decisions, remediation linkage, and verification artefacts so cases can be reconstructed during assessment.

When Hackrate managed VDP is justified

For many organizations, the hardest part of 6.10 is not writing a policy. It is operating the intake and triage loop reliably at volume with complete records.

Hackrate provides the Hackrate Ethical Hacking platform to manage vulnerability submissions through a structured intake channel with case tracking and an auditable record of actions and communications. We help validate reported issues, including reproduction and impact clarification, so your internal teams receive actionable findings rather than unfiltered inbox traffic. We also handle communication with ethical hackers, including acknowledgements, clarification requests, and status updates, so timelines remain predictable and interactions remain consistent.

Hackrate also provides the legal and operational documents required to run a VDP, so teams do not need to draft them from scratch. This includes VDP policy language, scope and safe harbor terms, disclosure rules, and program terms that can be adapted to your environment.

In this model, your organization retains decision rights for risk acceptance, remediation prioritization, and deployment approval. Hackrate focuses on managed intake, validation support, and communications, plus a complete evidence trail that connects submissions to triage outcomes and remediation status.

security-testingethical-hackingnews

Written by Balazs Pozner
CEO and Founder of HACKRATE Ltd.

Related ArticlesView All

Press release: Hackrate becomes Hungary’s first CVE Numbering Authority
January 13, 2026 · 5 min read

This article explains Hackrate’s new status as Hungary’s first CVE Numbering Authority (CNA) and what that means in practice for coordinated vulnerability disclosure.

balazs pozner
by Balazs Poznerin hackrate,news
Let 2026 be the year bug bounty becomes part of how you build and operate
January 05, 2026 · 4 min read

This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.

balazs pozner
by Balazs Poznerin hackrate,ethical-hacking,security-testing,news,getting-started
Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate
July 16, 2025 · 2 min read

The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news,hackrate
Measuring the Success of Bug Bounty Programs: Outdated vs. Modern Approaches
March 25, 2025 · 4 min read

Shift from outdated metrics to advanced methods with Hackrate’s HackGATE to monitor the success of your Bug Bounty Programs.

Levente Molnar
by Levente Molnarin security-testing,ethical-hacking,news
A VDP szerepe a NIS 2 megfelelésben: Amit a sérülékenység közzétételi irányelvről tudni kell
September 02, 2024 · 7 min read

Az előző cikkben bemutattuk a NIS 2 irányelv követelményeit és a magyar vállalatokra gyakorolt hatását. Ebben a posztban részletesen tárgyaljuk a sérülékenység közzétételi irányelvet (VDP), amely a NIS 2 egyik kulcsfontosságú eleme. Megvizsgáljuk, miért nem elegendő egy egyszerű email cím a sérülékenységek bejelentésére, és miért van szükség jól felépített, strukturált VDP-re a vállalatok kiberbiztonsági pozíciójának erősítésére.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news
Why choose managed Vulnerability Disclosure Programs (mVDP)?
August 30, 2024 · 10 min read

Discover the importance of a well-structured Vulnerability Disclosure Policy (VDP) in the context of the NIS 2 Directive. Learn how VDPs enhance security, ensure legal compliance, boost reputation, and foster collaboration with the cybersecurity community.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news