CISA’s process for developing vulnerability disclosure policies needs to be reworked, researcher says

The process outlined in a CISA binding operational directive for the development of vulnerability disclosure policies is flawed, according to a leading researcher in bug bounty programs, who argues more work needs to be done for preparation.

The BOD issued on Sept. 2 required federal agencies within 30 days to enable the receipt of “unsolicited reports about potential security vulnerabilities,” prior to developing or publishing a policy, and to create an easily accessible way to find agency contacts involved....