CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy

Mark Van Scyoc/Shutterstock

The agency wants feedback on how the government should accept unsolicited bug reports.

Time’s running out for people to weigh in on Cybersecurity and Infrastructure Security Agency’s draft plan for government vulnerability disclosure policies.

During Thanksgiving week, CISA released a draft binding operational directive that will require all federal agencies to create formal policies to allow outsiders to report bugs and flaws in agency websites and other public-facing systems without facing legal reprisal. Only statutorily defined “national security systems” and defense and intelligence systems are excluded. 

“For this directive, we’re seeking feedback from the public before the directive is mandatory–something we’ve never done before–and we want to hear from individuals and organizations with expertise in vulnerability disclosure,” the agency tweeted.

The draft directive requires agencies to collect these unsolicited bug reporters, develop and publish an agency policy for vulnerabilities, and then expand the scope of which systems are included in the policy. Agencies must also create a plan for resolving reported bugs and report a variety of metrics on a quarterly basis through CyberScope.

CISA offers templates and guidance, such as “tone should be inviting, not threatening,” as well as a timeline: 

  • Within 15 business days of the directive, each agency must designate a security contact at the .gov registrar. 
  • Within 180 calendar days, publish a vulnerability disclosure policy and a security.txt file.
  • After 180 calendar days, all newly launched internet-accessible systems and services must be in scope of the policy. 
  • Within 270 calendar days and every 90 days after, the scope of the policy must increase by at least one internet-accessible system. 
  • At two years, all internet-accessible systems must be in scope of the policy. 

The agency will reshare the draft as a notice in the Federal Register tomorrow and is accepting comments through 11:59 p.m. Dec. 27. Interested parties can submit comments through GitHub, where comments will post with personal information, or emails to