House Oversight Committee Chair Eyes VDP Requirements for Government Contractors

Rep. Nancy Mace, the chair of the House Oversight Committee Cybersecurity Subcommittee, has introduced the Federal Cybersecurity Vulnerability Reduction Act, which would require federal contractors to implement vulnerability disclosure policies. VDPs indicate how security researchers should notify organizations when potential exploits are discovered and what rewards can be obtained.

Mace explained that mandating every contractor to enact policies consistent with National Institute of Standards and Technology guidelines ensures a proactive cybersecurity approach.

Under Mace’s bill, NIST and the Cybersecurity and Infrastructure Security Agency would work with the Office of the National Cyber Director to undertake a review of federal contract requirements and language for VDP and suggest updates. The legislation specified that the contracting procedures of the Department of Defense’s VDP initiative would be reviewed.

HackerOne, a cybersecurity company that has supported DOD’s VDP and bug bounty efforts, contributed to the legislation. According to Ilona Cohen, the company’s chief legal and policy officer, VDPs are a proven way of identifying software exploits, The Record reported.