Skip to content

The National Coordinated Vulnerability Disclosure Policy

ICT Systems are susceptible to vulnerabilities and these vulnerabilities may leave ICT Systems prone to incidents that affect their security.

The Critical Infrastructure Protection Directorate (‘CIPD’) and the Malta Digital Innovation Authority (‘MDIA’) have worked together to address measures on coordinated vulnerability disclosure, as required under the National Cybersecurity Strategy 2023-2026 (‘the Strategy’) and Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity in the Union (‘NIS 2 Directive’).

The National Coordinated Vulnerability Disclosure Policy (‘NCVDP’) encourages owners and managers of ICT Systems, referred to as ‘Responsible Organisations’, to adopt their own policies in line with this NCVDP. This policy can also be voluntarily adopted by other organisations not legally required to have a Coordinated Vulnerability Disclosure Policy (‘CVDP’). It is pertinent to note that ‘Essential’ entities as defined in the NIS2 Directive will be required to have a CVDP.

The NCVDP obliges Responsible Organisations to communicate their CVDP with the CIPD, which will maintain a registry of these organisations and their respective CVDPs.

Once a CVDP is made public by a Responsible Organisation, a process is provided for Security Researchers or Participants to follow when conducting Vulnerability research on the ICT Systems owned or managed by the Responsible Organisation. The NCVDP also requires that such Security Researchers or Participants notify the Computer Security Incident and Response Team in Malta (‘CSIRTMalta’) within the CIPD.

The national CVDP puts forward several other salient obligations, including:

  • The parameters within which the Security Researcher can conduct its research, such as accessing only the digital components indicated by the Responsible Organisation, acting in good faith and not exceeding what is necessary.
  • The legal obligations relating to personal data processing, if required.
  • The mode of reporting, mitigating and disclosing of Vulnerabilities found in the ICT Systems.
  • The obligations of the Responsible Organisation to ensure clarity, accessibility and communication.
  • The possibility of rewards for Security Researchers who successfully identify Vulnerabilities.

Download the NCVDP

#MDIATalent

Connect your digital talent with Malta’s thriving innovation scene through MDIATalent.

MDIATalent supports the growth of Malta’s digital innovation sector by connecting skilled individuals with relevant opportunities with MDIA.

Find out more