A bill establishing a new vulnerability disclosure program for federal contractors has passed the House, and will now move on to the Senate to be reviewed by the Committee on Homeland Security and Governmental Affairs. The bill, titled the “Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025,” would create new requirements for the vulnerability disclosure policies (VDP) of impacted contractors should it pass.
The new requirements would be based on existing NIST standards, and would be established by the Office of Management and Budget (OMB) in consultation with a number of other agencies such as CISA and the Office of the National Cyber Director. The Defense Department would also be instructed to develop similar requirements for defense contractors.
Vulnerability disclosure program clears first hurdle after years of attempts
The vulnerability disclosure program proposal has been in the works since it was introduced to the House in 2023, with a companion bill introduced to the Senate in 2024. The House Committee on Oversight and Accountability approved the bill in May 2024, and it appears that a recent push by a tech lobbying group that counts Microsoft and Trend Micro among its ranks helped to get it over the hump.
The bill is a bipartisan project; it was first introduced in the House by South Carolina Republican Nancy Mace and Ohio Democrat Shontel Brown. Similarly, the companion bill in the Senate was sponsored by Democrat Mark Warner and Republican James Lankford. Though it suffered from substantial delay, the vulnerability disclosure program appears to stand a good chance of passing given its focus on defending from the threats that China and Russia’s state-sponsored hackers pose.
If it ultimately passes, the vulnerability disclosure program will require the impacted departments to issue guidelines to contractors based on the Federal Acquisition Regulation (FAR). Federal contractors would be looking at new requirements in terms of how vulnerability disclosures are handled and the language used, drawn from NIST but with the specifics to be determined at a later date. The terms would apply to federal contractors at an acquisition level of $250,000 or greater or those that work directly with or maintain a federal agency’s information systems.
The DOD would be additionally tasked with updating the Defense Federal Acquisition Regulation Supplement (DFARS), which supplements the FAR with unique terms for handling matters such as classified information and national security concerns.
New vulnerability disclosure program would provide boost to security researchers
Most of the tech companies that signed off in support of the vulnerability disclosure program are cybersecurity specialists. The industry interest stems from the expected boost that security researchers will get in their regular duties, with improved vendor VDP adoption translating to both faster and easier responsible reporting and increased credit to the researchers that find vulnerabilities. This could also translate into an increase in “bug bounty” programs offered by vendors.
Casey Ellis, Founder at Bugcrowd (among the tech firms that lobbied in support of the bill), expands on this particular impact: “By making VDP a procurement requirement, HR 872 will accelerate the acceptance of hacker feedback within the U.S. Government and among the many contractors and vendors that support federal agencies. This legislation mandates that all companies contracting with the federal government adhere to recognized security best practices, elevating the overall standard of cybersecurity across federal supply chains. HR 872 highlights the U.S. Government’s growing recognition of the essential role hackers and security researchers play in safeguarding cyberspace, legitimizing ethical hackers-likened to “locksmiths” rather than “burglars”-in their efforts to protect critical systems. Arriving at a pivotal moment for U.S. cybersecurity, particularly in federal and government-run infrastructure, HR 872 harnesses “all the brains we have, and all the brains we can borrow.” It lays the groundwork for deeper, more productive collaboration between the U.S. Government, its contractors and suppliers, and the ethical hacking community.”
“Contributions to Legislative Efforts Representatives Nancy Mace (R-SC) and Shontel Brown (D-OH) introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025. It was first proposed in August 2023 and has since garnered extensive bipartisan support. The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 has strong bipartisan support and is generally seen as uncontroversial,” added Ellis. “It should, pending any dramatic shifts in sentiment or process, pass through to law later this year. Bugcrowd is proud to have supported the creation of this Bill, and to continue to support passage of this bill through the Senate and into law, both directly and through our work with the Hacking Policy Council.”
Trey Ford, Chief Information Security Officer at Bugcrowd, adds: “Every company building or implementing technology and services needs a Vulnerability Disclosure Program (VDP), and this is a significant milestone in aligning Contractors with industry best practices. Ultimately, the performance of a VDP is the best external proxy indicator for performance of a company’s security program. Establishing a VDP is necessary to create a safe harbor for users and researchers to report security concerns in good faith – a challenge that still exists in US laws (CFAA, DMCA, etc…), and is of particular concern for researchers when interacting with governmental targets.”
There are relatively few prior examples of this sort of requirement being used in the government procurement space, and the new implementation was likely at least in part informed by the success of the “Hack the Pentagon” program (launched in 2016 and having announced its planned third iteration in 2024). One of the few other pieces of federal legislation mandating vulnerability disclosure programs for contractors is the IoT Cybersecurity Act, which targeted non-compliant IoT devices and extended NIST-backed guidelines for vulnerability communication to subcontractors. That act’s terms went into effect in December of 2022.
The new bill’s terms draw specifically on NIST SP 800-216, published in May 2023. “Recommendations for Federal Vulnerability Disclosure Guidelines” is also derived directly from the IoT Cybersecurity Act as well as 2020’s “Binding Operational Directive,” which required federal agencies to create vulnerability disclosure programs that enable users to report security issues that they discover in agency systems directly to the federal government. That directive established the Vulnerability Disclosure Program Offices (VDPOs) for federal agencies as the operational units that address those reports and coordinate action when a vulnerability impacts multiple agencies simultaneously.
This move was generally well-supported by the cybersecurity community as it established a more efficient framework for addressing risk and improving visibility when new threats emerge. In addition to the expected impact on software flaws, one of the specific issues that vulnerability disclosure programs have proven to be very effective at addressing is the theft and leak of valid employee or service account login credentials. Timely credential rotation can often be all that is necessary to head off an otherwise devastating attack, as demonstrated by a number of recent headline-grabbing incidents such as the Chinese APT group breaches of Microsoft.
Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet, foresees this bill as being one of those that has second-order impacts beyond the federal contractors it applies to: “This bill aims to harmonize and streamline the vulnerability disclosure practices of companies offering essential digital services to the federal government with the internal practices already adopted by federal agencies. By doing so, it enhances the security and consistency of federal networks. Additionally, as many of these companies also serve private sector customers, the bill is likely to improve cybersecurity across the broader market, extending its benefits beyond just the federal market.”
Elad Luz, Head of Research at Oasis Security, also sees this bill as having a positive “domino effect”: “A Vendor Disclosure Program (VDP) serves as an essential framework for fostering communication and building trust between security researchers and vendors. When security researchers identify vulnerabilities or weaknesses in a vendor’s product, a VDP helps define the ethical and responsible actions to take. It also outlines the vendor’s commitment, responsibility, and responsiveness toward addressing those vulnerabilities. Security researchers encounter vulnerabilities daily. The more vendors adopt VDPs, the more likely researchers are to report their findings responsibly, helping to mitigate risks before malicious actors can exploit them. By providing a safe and structured process, VDPs contribute to a more secure digital ecosystem.”
