The National Vulnerability Disclosure Policy guides ethical testing and reporting of vulnerabilities in the UAE’s critical systems. It establishes frameworks for disclosure, tester registration, reporting, validation, rewards, and performance monitoring.
The Cyber Security Council has established this policy to facilitate the identification of potential vulnerabilities while operating within the tenets of UAE’s cybercrime laws. This will enable the mitigation of potential consequences on critical systems and services, thereby strengthening the UAE's cyber resilience.
Vulnerability Disclosure Policy
Ethical Testing
Provide requirements to ensures that tests are conducted in good faith, maintaining system safety during execution.
Registration
Outlines registration requirements for VD Program to ensures transparency is maintained while using the VDP platform by both testers and entities.
Reporting
Establishes requirements for timely reporting of vulnerabilities related to UAE-based entities.
Validation and Acknowledgement
Provide requirements for review and validation of reported vulnerabilities and communicate them to the impacted entities.
Rewards and Closure
Highlights requirements to recognise and reward testers under a non-monetary benefit program.
Read the full policy here. (PDF, 2.1 MB)
02 Jul 2026