Skip Ribbon Commands
Skip to main content
    L-0017-2024

    Public Consultation on the Coordinated Vulnerability Disclosure Policy (CVDP)


    Closed

    ​Ministry:

    		 Ministry for the Economy, Enterprise and Strategic Projects (MEEP)
    ​Entity:

    		 Ministry for the Economy, Enterprise and Strategic Projects (MEEP)

    ​Published:

    		 11/09/2024
    ​Running Till:

    		 09/10/2024
    ​Last Updated:

    		 28/11/2024



    “Coordinated Vulnerability Disclosure Policy (‘CVDP’) serves as a strategic framework and platform for managing and mitigating cybersecurity vulnerabilities within the island The CVDP policy aims to enhance public trust and cooperation to bridge the gap between companies, both public and private, referred as “Responsible Organisations” and ethical hackers referred as “Security Researchers”. 

     

    The scope of this CVD Policy is, amongst others, to meet the following objectives: 

    1. To aid Responsible Organisations in establishing the terms and conditions that a Security Researcher must be in line with prior to, during and after the security research. Therefore, where the Responsible Organisation puts into effect a CVD Policy and a Security Researcher performs Security Researching, the CVD Policy of the Responsible Organisation will be tantamount to a binding agreement amongst the parties.
    2. To encourage the Responsible Organisations to comply with their legal obligations under any applicable EU legislation and directives. 
    3. To promote the adherence of Responsible Organisations with industry's best practices and applicable standards, with regards to the CVD Policy. 
    4. To ensure that any type of information regarding a Vulnerability is handled carefully and in confidentiality 

     

    The national CVDP puts forward several other salient obligations, including: 

    1. the parameters within which the Security Researchers can conduct their research, such as notifying MaltaCIPD, accessing only the digital components indicated by the Responsible Organisation, acting in good faith and not exceeding what is necessary; 
    2. the requirement of the Responsible Organisation to notify in writing CSIRTMalta that the former has established a CVDP of its own and to communicate such CVDP with the MaltaCIPD;
    3. the legal obligations relating to personal data processing, if required;
    4. the mode of reporting, mitigating and disclosing of vulnerabilities found in the ICT Systems;
    5. the obligations of the Responsible Organisation to ensure clarity, accessibility and communication; and 
    6. the possibility of rewards for Security Researchers who successfully identify vulnerabilities. 

     

    The document is part of wider set of initiatives intended to strengthen the cybersecurity ecosystem. It was drafted by the Malta Digital Innovation Authority (MDIA) within the Ministry for the Economy, Enterprise and Strategic Project and the Critical Infrastructure Protection Directorate for the Protection within the Ministry for Home Affairs, Security and Employment.

     

    https://economy.gov.mt/wp-content/uploads/2024/09/2024.08.27-CVD-Policy-Version-0.41.pdf

     

    Feedback