The Vulnerability Handling Specification focuses on vulnerability management for open source codebases.
It details the necessary components of a vulnerability handling policy, including procedures for receiving reports, resolving issues, and disclosing vulnerabilities.
Additionally, it specifies the requirements for managing vulnerable dependencies.
Although the initial motivation for this specification is to help compliance with the essential requirements of the European Cyber Resilience Act, the intention is for this specification to be agnostic of a particular legislation.
The Vulnerability Handling Specification is developed by the Cyber Resilience Practices Project of the Open Regulatory Compliance (ORC) Working Group.