The US House of Representatives has passed a bill that would oblige federal contractors to implement a vulnerability disclosure policy (VDP).
If the bill subsequently passes the Senate, security researchers would have a formalised process through which to responsibly report vulnerabilities in systems belonging to providers of goods and services to the federal government.
Under the Federal Contractor Cybersecurity Vulnerability Reduction Act (PDF), the Office of Management and Budget (OMB) would recommend updates to contract requirements and language around implementing VDPs within the Federal Acquisition Regulation (FAR), which governs federal procurement processes.
The OMB would consult with the director of the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Director and the director of the National Institute of Standards and Technology (NIST) in drafting these recommendations.
The bill requires that the Department of Defense (DOD) must conduct a similar review with regards to defence contractors.
VDPs would have to be consistent with NIST guidelines.
‘Reinforcing cyber resilience’
“Cyber threats don’t wait for bureaucratic red tape. This legislation ensures federal contractors meet the same high cybersecurity standards we expect from federal agencies,” said Nancy Mace, the congressional Republican who introduced the bipartisan bill in 2023. “By eliminating vulnerabilities before our adversaries can exploit them, we’re reinforcing America’s cyber resilience in real time.”
The bill has now been referred to the Committee on Homeland Security and Governmental Affairs.
VDPs have already been rolled out across US government departments, including the US Department of Justice (DOJ), Department of State, Department of Commerce, General Services Administration, Department of the Treasury and Department of Health and Human Services.
As of September 2024, CISA’s own VDP platform had, three years after launch, triaged over 12,000 submissions from 3,200 security researchers, resulting in 2,400 valid vulnerabilities (PDF), 2,000 of which had been remediated at that point.
UK VDPs undermined by ‘archaic law’?
News of the US VDP bill’s passage through the house came just a few days after the UK Home Office, which is responsible for immigration, security and law and order, launched its own VDP.
However, the announcement did not meet with universal acclaim. The CyberUp campaign has told Recorded Future News that the VDP, which prohibits researchers from breaking “any applicable law or regulations”, is undermined by the fact that “the Computer Misuse Act – an archaic law written in 1990 when just 0.5% of the population had internet access – blanketly criminalises all unauthorised access to computer systems, irrespective of intent or motive to act in the public interest.”
Piecemeal efforts to reform the law are currently stalling in the UK’s upper chamber.
VDPs have long been seen as best practice within the cybersecurity industry, with the ISO/IEC 29147:2014 guidelines on vulnerability disclosure a significant milestone. However, in recent years the rate of adoption in the public and private sector has accelerated, partly in anticipation of regulatory requirements.
The recently enacted EU Cyber Resilience Act (CRA) for instance requires that vendors of products with digital elements (PDEs) implement VDPs. The UK Product Security and Telecommunications Infrastructure (PSTI) Act mandates similar obligations for Internet of Things (IoT) manufacturers.
Secure, coordinated vulnerability disclosure
As a secure channel for coordinated vulnerability disclosure, a VDP shows your customers that you take security seriously and can usefully complement a Bug Bounty Program. YesWeHack can help you create a branded VDP aligned with industry best practices and your specific needs and integrate it into your website. Other product features:
- Unified interface for receiving reports and managing vulnerabilities
- Receive only valid, actionable reports thanks to our in-house triage service
- Triage team can evaluate bug severity and liaise with security researchers
- End-to-end encryption ensures confidential communication