“The Homeland Security Department on Wednesday released a draft of a binding operational directive that would require every federal agency to create a vulnerability disclosure policy.”
“Under the measure, each civilian agency would need to create a formal process for security researchers to share vulnerabilities they uncover within the organization’s public-facing websites and other IT infrastructure. Agencies must also develop a system for reporting and closing the security gaps that are uncovered through the program.”
“Despite the growing popularity of public cyber initiatives like bug bounties, security researchers often find themselves in a legal gray area when reporting cyber weaknesses to the government. By creating vulnerability disclosure policies, agencies can set clear guardrails on legal hacking…”
“The BOD would bring the rest of the government up to speed with the Pentagon and the General Services Administration’s tech office, which have already established vulnerability disclosure programs. DHS is also in the process of finalizing its own policy…” Read the full article here.
Source: CISA Wants a Vulnerability Disclosure Program At Every Agency – By Jack Corrigan, November 27, 2019. Nextgov.