When Disclosure Fails: Europe’s Struggle with CVD | CRA Monday

In this week’s CRA Monday session, we welcomed security consultant Piet De Vaere for a thought-provoking talk on the realities of coordinated vulnerability disclosure (CVD) in Europe.

Pete opened with a real incident from earlier this year, when he discovered a flaw in his bank’s online-banking login flow. The issue, rooted in how concurrent login requests are handled, could allow an attacker to hijack a user’s banking session with almost no visible warning. His walkthrough shows how even seemingly simple authentication flows can conceal serious design vulnerabilities.

But the technical bug was only half the story. Pete then shared the unexpected challenges he faced when trying to report it — from mandatory ID-verification requirements to NDA-style disclosure terms and stalled communication with both the bank and the national CERT. His experience highlights how current CVD processes, even under NIS2 and the evolving CRA landscape, can unintentionally discourage responsible reporting.

To move forward, Pete suggests rethinking CVD policies as commitments from organisations (not rulebooks imposed on reporters) and encourages the open source community and European institutions to explore better disclosure practices together.

You can watch the full recording below: