The US government will require each civilian agency to create a public policy for software-vulnerability disclosure, as well as a strategy for handling any potential security weaknesses reported by researchers.
In the statement posted online, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) raised concerns that most civilian agencies' lack of disclosure policies will lead to confusion, a lack of faith that issues are getting fixed, and the fear of potential legal action. The requirement of a vulnerability disclosure policy (VDP) will mean that every vulnerability reporter will know what to expect when they find and report a software flaw.
"A VDP allows people who have 'seen something' to 'say something' to those who can fix it," CISA said in its announcement. "It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems."
The move is the latest by the US government to work with security researchers and hackers to find — and plug — the weaknesses in its Internet-connected systems. In 2016, for example, the US Department of Defense announced its digital disclosure policy and launched the Hack the Pentagon challenge, the first-ever bug bounty for the federal government. Since then, every branch of require federal agencies vulnerability disclosure policies
