View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 3, 2020updated 04 Sep 2020 9:19am

CISA to .GOV Agencies: Get Vulnerability Disclosure Plans Sorted in 30 Days

"We see your work, we want to help, and we appreciate you"

By CBR Staff Writer

Federal Agencies have been ordered to stop threatening and start thanking security researchers for reporting vulnerabilities in their internet-facing infrastructure.

The demand comes via a new “binding operational directive” (BOD) from the US’s Cybersecurity and Infrastructure Security Agency (CISA) published September 2.

This requires each agency to develop and publish a Vulnerability Disclosure Policy (VDP) and “maintain supporting handling procedures”. within 30 days.

In practice, that means setting up/updating a security@ contact for each .gov domain, regularly monitoring the email address associated with it, and staffing it with personnel “capable of triaging unsolicited security reports for the entire domain.”

Security professionals are about to get even more in demand…

Want to Poke Holes in .gov Domains? Maybe Wait Another 180 Days… 

Agencies have longer (180 days) to clearly spell out what is in scope; at least “one internet-accessible production system or service must be”, CISA says.

The policy must also include “commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represents a good faith effort to follow the policy, and deem that activity authorized.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

As CISA Assistant Director Bryan Ware notes: “Imagine walking your neighborhood in the cool dawn and noticing a home at the end of the block engulfed in flames. You look around. No one else appears to have noticed yet. What do you do? You’ll likely call 911, share the address of the burning home, and stick around to help if needed.

See also: 7 Things Not to Do When Hacked: Five Eyes Issues Rare Technical Guidance

“Now, imagine visiting a government web application – say, – on a balmy evening and noticing an open redirect on the site. You click around. Nothing on the site hints at how to report this. What do you do? If you’re into cybersecurity, you might send a short email to, pulse some contacts when it bounces, and tweet something spicy about It doesn’t have to be this way…”

The move comes after CISA in November — as reported by Computer Business Review — asked for feedback on a draft operational directive, BOD 20-01, which would require most executive branch agencies to create a VDP that spells out to those who find flaws in an agency’s digital infrastructure “where to send a report, what types of testing are authorized for which systems, and what communication to expect in response.”

As CISA’s Bryan Ware noted, however, the federal vulnerability disclosure requirement is not a chance for over-eager vendors to start pitching their wares.

“A final note to those people who find and report vulnerabilities: we see your work, we want to help, and we appreciate you. To others that would use these new ways to reach agencies, please: this is not a business development opportunity, and pitches to aren’t going to be appreciated.

“Don’t @cisagov on your spicy tweets.”

Full details of the binding operational directive are here

See also: An Idiot’s Guide to Dealing with Hackers

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.