The United States House of Representatives has passed a bill to the Senate that would require federal contractors to establish a vulnerability disclosure policy (VDP). The goal of this bill is to support individuals and organizations in efforts to responsibly disclose discovered vulnerabilities in contractors’ systems. 

This is a bipartisan bill introduced by Nancy Mace (R-S.C.), Chairwoman of the Cybersecurity, Information Technology, and Government Innovation Subcommittee, and Shontel Brown (D-O.H.), Ranking Member of the subcommittee. 

The bill, called the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, mandates the Office of Management and Budget (OMB) consults with CISA, NIST, the Office of the National Cyber Director, and other related departments. Furthermore, it would require the VDPs of federal contractors to be consistent with NIST guidelines. 

A group of cyber and tech organizations have encouraged the passing of this legislation. Below, cyber experts share their thoughts on this bill. 

Security leaders weigh in 

Trey Ford, Chief Information Security Officer at Bugcrowd:

Every company building or implementing technology and services needs a VDP, and this is a significant milestone in aligning contractors with industry best practices. Ultimately, the performance of a VDP is the best external proxy indicator for performance of a company’s security program. Establishing a VDP is necessary to create a safe harbor for users and researchers to report security concerns in good faith — a challenge that still exists in U.S. laws (CFAA, DMCA, etc…), and is of particular concern for researchers when interacting with governmental targets.

Mr. Piyush Pandey, CEO at Pathlock:

While ensuring application vulnerability is managed effectively is important, it’s just one risk dimension and perhaps not the most important. Over the last five years driven by digital modernization, unauthorized identity-related access to critical applications at the transaction level has introduced far more risk. In fact, public company filings from 2021 to 2023 report double-digit increases in both significant deficiencies, and more importantly material weaknesses. In short, while managing vulnerabilities is required, controlling unauthorized identity-related access to critical applications is also required to manage the most critical business risks today.

Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:

VDP guidelines are based on NIST SP 800-216 to help manage risk related to reporting security vulnerabilities in software and information systems owned or utilized by the Federal Government. NIST SP 800-216 defines the terminology, coordination, scope, triage and prioritization of vulnerability information, the management of advisory information and public disclosure, and the relevant stakeholders. It also addresses how VDP offices (VDPO) are to be managed and run. 

The intended outcome of VDPO oversight and use of this framework is to increase visibility and compliance for vulnerability management in the Federal Government. This bill is focused on operational components of how vulnerability information is managed and disclosed to ensure compliance and oversight.

Framework-driven operations are more cost effective and better at reducing risk compared to those that are not. They also increase visibility and introduce a layer of governance and management that is not possible without such a framework and iterative approach to processes and controls.

Elad Luz, Head of Research at Oasis Security:

A VDP serves as an essential framework for fostering communication and building trust between security researchers and vendors. When security researchers identify vulnerabilities or weaknesses in a vendor’s product, a VDP helps define the ethical and responsible actions to take. It also outlines the vendor’s commitment, responsibility and responsiveness toward addressing those vulnerabilities.

Security researchers encounter vulnerabilities daily. The more vendors adopt VDPs, the more likely researchers are to report their findings responsibly, helping to mitigate risks before malicious actors can exploit them. By providing a safe and structured process, VDPs contribute to a more secure digital ecosystem. Furthermore, vendors with VDPs may choose to publicly acknowledge and credit researchers for their findings. In some cases, vendors may even offer monetary rewards or bounties, which serves as an incentive for ethical hackers to continue contributing to the security of the vendor’s products.

With the increasing frequency of credential leaks, VDPs provide a vital mechanism for security researchers to report incidents involving exposed credentials, whether they belong to human or non-human identities (e.g., service accounts, API keys). This helps the vendor to promptly address the issue, prevent unauthorized access and protect their users from further harm.

Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet:

This bill aims to harmonize and streamline the vulnerability disclosure practices of companies offering essential digital services to the federal government with the internal practices already adopted by federal agencies. By doing so, it enhances the security and consistency of federal networks. Additionally, as many of these companies also serve private sector customers, the bill is likely to improve cybersecurity across the broader market, extending its benefits beyond just the federal market. 

Casey Ellis, Founder at Bugcrowd:

This bill transforms VDPs and the reception of hacker feedback from a “nice-to-have” into a mandatory FAR/DFAR procurement requirement. Building on strong VDP adoption within the U.S. Government through initiatives such as Hack the Pentagon and various congressional and DHS/OMB directives (including BOD 20-01), this bill joins the IoT Cybersecurity Act as one of the few directives leveraging procurement to ensure widespread VDP implementation. It also acknowledges VDP as best practice, driving alignment with ISO and NIST standards and further normalizing the relationship between the Federal Government, its supplier ecosystem, and the good-faith hacker community.

By making VDP a procurement requirement, the bill will accelerate the acceptance of hacker feedback within the U.S. Government and among the many contractors and vendors that support federal agencies. This legislation mandates that all companies contracting with the federal government adhere to recognized security best practices, elevating the overall standard of cybersecurity across federal supply chains. The bill highlights the U.S. Government’s growing recognition of the essential role hackers and security researchers play in safeguarding cyberspace, legitimizing ethical hackers — likened to “locksmiths” rather than “burglars” — in their efforts to protect critical systems.

Arriving at a pivotal moment for U.S. cybersecurity, particularly in federal and government-run infrastructure, this bill harnesses “all the brains we have, and all the brains we can borrow.” It lays the groundwork for deeper, more productive collaboration between the U.S. Government, its contractors and suppliers, and the ethical hacking community. 

Representatives Nancy Mace (R-S.C.) and Shontel Brown (D-O.H.) introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025. It was first proposed in August 2023 and has since garnered extensive bipartisan support. 

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 has strong bipartisan support and is generally seen as uncontroversial. In part, this is due to the broadly-known success of the Hack The Pentagon program and other Directives such as BOD 20-01, as well as the fact that vulnerability disclosure is pretty well-socialized on Capitol Hill at this point. It should, pending any dramatic shifts in sentiment or process, pass through to law later this year.