Connect with us

Hi, what are you looking for?


Management & Strategy

Lawmaker Wants Federal Contractors to Have Vulnerability Disclosure Policies 

Congresswoman Nancy Mace has introduced a bill that would require federal contractors to have a Vulnerability Disclosure Policy (VDP).

Congresswoman Nancy Mace (R-SC) this week introduced a bill that would require federal contractors to implement a Vulnerability Disclosure Policy (VDP).

The proposed legislation, named the Federal Cybersecurity Vulnerability Reduction Act, would require a VDP that is consistent with NIST guidelines. This includes making it clear how vulnerabilities can be reported, establishing a system for providing feedback to reporters, and providing assurances that good faith security research is authoritized and welcomed. 

A VDP can help organizations learn about the existence of vulnerabilities in their systems and infrastructure by making it easier for third parties to report discovered security issues.

The US government has been relying on VDPs and bug bounty programs for years to find and patch vulnerabilities before they can be exploited by malicious actors. 

It’s also worth pointing out that binding operational directive BOD 20-01 from 2020 requires federal agencies to have a VDP. The new bill would expand the requirement, helping reduce risks associated with federal contractors. 

“By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” Congresswoman Mace said. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information.”

Mace is chairwoman of the House Oversight Subcommittee on Cybersecurity, Informational Technology, and Government Innovation.

Advertisement. Scroll to continue reading.

HackerOne, a cybersecurity company specializing in bug bounty programs and vulnerability disclosure policies, said on Thursday that it strongly endorses the bill, noting that the legislation “is an important step toward enhancing the cybersecurity resilience of the many businesses that support the federal government and have access to government data”.

The Pentagon has been running bug bounty programs since 2016, getting help from thousands of white hat hackers who discovered a total of more than 2,500 vulnerabilities. The payouts from more than 40 bug bounty programs total $650,000. 

In its inaugural VDP Platform Annual Report published on Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) said its VPD platform facilitated the remediation of more than 1,000 vulnerabilities through December 2022, including nearly 200 critical issues. 

Related: Microsoft Paid Out $13 Million via Bug Bounty Programs for Fourth Consecutive Year

Related: Hacker Conversations: Youssef Sammouda, Bug Bounty Hunter

Related: Adobe Inviting Researchers to Private Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem