December 7, 2019
CISA issues draft operational directive requiring vulnerability disclosure policies at agencies
The Cybersecurity and Infrastructure Security Agency has released a draft binding operational directive setting a new requirement for federal agencies to publish a vulnerability disclosure policy, while seeking public input on the plan over the next month.
“A VDP allows people who have ‘seen something’ to ‘say something’ to those who can fix it. It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems,” outgoing CISA assistant director for cyber Jeanette Manfra said...