CISA to Improve Vulnerability Disclosure Practices
The Cybersecurity and Infrastructure Security Agency (CISA) issued a draft binding operational directive, BOD 20-01, which will require federal civilian executive branch agencies to publish a vulnerability disclosure policy (VDP).
"A VDP allows people who have “seen something” to “say something” to those who can fix it. It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems," CISA says. In preparing the directive, CISA worked with several agencies that have VDPs and made an effort to align the directive with federalguidance, internationalstandard and goodpractices.