The Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget will require civilian agencies to develop vulnerability disclosure policies, allowing outside experts who have “seen something” that looks like a cyber weakness to “say something” to those who can fix it.
Under the draft binding operational directive released Wednesday, agency VDPs would make it clear that “an agency welcomes and authorizes good-faith security research on specific, internet-accessible systems,” CISA Assistant Director for Cybersecurity Jeanette Manfra wrote in a blog post.
Meanwhile, OMB will meet with executives from the Department of Homeland Security, the General Services Administration, the Commerce Department and other agencies to work on implementation strategies, as well as the benefits of leveraging bug bounty programs.