Lawmaker Wants Federal Contractors to Have Vulnerability Disclosure Policies 

Congresswoman Nancy Mace (R-SC) this week introduced a bill that would require federal contractors to implement a Vulnerability Disclosure Policy (VDP).

The proposed legislation, named the Federal Cybersecurity Vulnerability Reduction Act, would require a VDP that is consistent with NIST guidelines. This includes making it clear how vulnerabilities can be reported, establishing a system for providing feedback to reporters, and providing assurances that good faith security research is authoritized and welcomed. 

A VDP can help organizations learn about the existence of vulnerabilities in their systems and infrastructure by making it easier for third parties to report discovered security issues.

The US government has been relying on VDPs and bug bounty programs for years to find and patch vulnerabilities before they can be exploited by malicious actors. 

It’s also worth pointing out that binding operational directive BOD 20-01 from 2020 requires federal agencies to have a VDP. The new bill would expand the requirement, helping reduce risks associated with federal contractors. 

“By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” Congresswoman Mace said. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information.”

Mace is chairwoman of the House Oversight Subcommittee on Cybersecurity, Informational Technology, and Government Innovation.

HackerOne, a cybersecurity company specializing in bug bounty programs and vulnerability disclosure policies, said on Thursday that it strongly endorses the bill, noting that the legislation “is an important step toward enhancing the cybersecurity resilience of the many businesses that support the federal government and have access to government data”.

The Pentagon has been running bug bounty programs since 2016, getting help from thousands of white hat hackers who discovered a total of more than 2,500 vulnerabilities. The payouts from more than 40 bug bounty programs total $650,000. 

In its inaugural VDP Platform Annual Report published on Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) said its VPD platform facilitated the remediation of more than 1,000 vulnerabilities through December 2022, including nearly 200 critical issues. 

Related: Microsoft Paid Out $13 Million via Bug Bounty Programs for Fourth Consecutive Year

Related: Hacker Conversations: Youssef Sammouda, Bug Bounty Hunter

Related: Adobe Inviting Researchers to Private Bug Bounty Program