US to order every federal agency to establish own bug reporting program in 2020

The Department of Homeland Security plans to issue a ‘binding operational directive’ that will require each and every agency to quickly develop and publish a vulnerability disclosure policy (VDP). 

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive, BOD 20-01, on Thursday, which when finalized, will require most agencies in the executive branch to publish a VDP — a policy and procedures for receiving and responding to bug reports from the public.  

The rationale for the directive is fairly simple, even if developing a VDP isn’t: “When things are easier to to do, more people will do them. Reporting vulnerabilities shouldn’t be hard,” said CISA

CISA says most agencies lack a formal mechanism to receive reports from external security researchers, which can create delays or discourage the public from reporting potential security flaws in government websites, thus leaving them exposed for attackers to exploit. 

“This directive requires each agency to develop and publish a vulnerability disclosure policy (VDP), and maintain supporting handling procedures,” the draft directive from CISA director Christopher Krebs states.