Proposed bill would require vulnerability disclosure policies for all federal contractors

The chair of a key House subcommittee on Thursday announced legislation that would mandate all federal contractors to have a vulnerability disclosure policy to help ensure that any software flaws are fixed before they can be exploited by hackers.

Rep. Nancy Mace (R-SC), who leads the House Oversight Committee’s cybersecurity panel, said the bill — dubbed The Federal Cybersecurity Vulnerability Reduction Act — would “play a crucial role in safeguarding our nation’s digital infrastructure.”

Vulnerability disclosure policies (VDPs) spell out how security researchers should notify organizations when they have discovered a flaw that can be abused by hackers, as well as any rewards or recognition offered for reporting such bugs.

By requiring every contractor to enact such policies, consistent with guidelines from the National Institute of Standards and Technology (NIST), “we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” according to Mace.

The federal government in recent years has worked to shore up its networks against malign actors, including in 2020 when the Cybersecurity and Infrastructure Security Agency (CISA) issued a directive that required agencies to set up VDPs. The practice has been embraced by several organizations, in particular the Defense Department, to cauterize potential weaknesses.

Mace’s bill would require CISA and NIST to work with the National Cyber Director and other entities to review federal contract requirements and language for VDPs and recommend possible updates.

The proposed legislation singles out the Pentagon, whose VDP effort has handled tens of thousands of flaws since it was established in 2016, to examine its massive contracting procedures in order to better protect its information systems.

Mace teamed up with cybersecurity firm HackerOne, which has helped DoD and others launch VDP and bug bounty efforts, to craft the measure.

“Engaging the security researcher community through VDPs is a proven, effective way for federal contractors to identify vulnerabilities in their systems,” Ilona Cohen, the company’s chief legal and policy officer, said in a statement.

Mace said the bill “empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information” and would “reinforce our commitment to a robust and resilient cyberspace, fostering trust and security in the digital age."