Should contractors disclose vulnerabilities to get government work?

The U.S. House of Representatives passed a bill on March 3 requiring all federal contractors to submit a vulnerability disclosure program (VDP) to qualify for government contracts, including all Defense Department contracts.

Under the Federal Contractor Cybersecurity Vulnerability Reduction Act, which has moved on to the Senate Homeland Security and Government Affairs Committee, the Office of Management and Budget (OMB) must review the Federal Acquisition Regulation (FAR) and recommend updated contract requirements and language for VDPs.

VDPs help government and industry identify, report and mitigate information system vulnerabilities discovered by security researchers and software developers.

The VDP bill has strong support in the security industry, which on Feb. 28 submitted a letter to the top congressional leaders, encouraging them to support the legislation.

Companies signing the letter included: HackerOne, Bugcrowd, Infoblox, Microsoft, Rapid7, Schneider Electric, and Tenable.  

“Contractors, given the vast amount of sensitive data they handle, are prime targets for cyber threats,” the industry sponsors said in the letter. “As a result, the bill ensures all companies contracting with the federal government adhere to security best practices. The bill builds upon existing policies that have encouraged the adoption of VDPs, promoting a proactive approach to cybersecurity and helping protect critical systems before they can be exploited.”

Casey Ellis, founder at Bugcrowd, one of the companies that supported the industry letter, said the VDP bill has strong bipartisan support. Most people in government and industry view the bill as uncontroversial, in part, because of the broadly known success of the Hack The Pentagon program and other directives, such as BOD 20-01, which requires federal agencies to develop and publish a vulnerability disclosure policy.

"Pending any dramatic shifts in sentiment or process, it should pass through to law later this year," said Ellis.

How VDPs improve security research

Elad Luz, head of research at Oasis Security, pointed out that security researchers encounter vulnerabilities daily. Luz said the more vendors adopt VDPs, the more likely researchers are to report their findings responsibly, helping to mitigate risks before malicious actors can exploit them.

“By providing a safe and structured process, VDPs contribute to a more secure digital ecosystem,” said Luz. “Furthermore, vendors with VDPs may choose to publicly acknowledge and credit researchers for their findings. In some cases, vendors may even offer monetary rewards or bounties, which serves as an incentive for ethical hackers to continue contributing to the security of the vendor’s products.”

Trey Ford, chief information security officer at Bugcrowd, explained that a VDP  consists of three main components:

“Every company building or implementing technology and services needs a VDP, and this is a significant milestone in aligning contractors with industry best practices,” said Ford. “Ultimately, the performance of a VDP is the best external proxy indicator for performance of a company's security program. Establishing a VDP is necessary to create a safe harbor for users and researchers to report security concerns in good faith — a challenge that still exists in U.S. laws and is of particular concern for researchers when interacting with governmental targets.”

Ted Miracco, chief executive officer at Approov, said that while mandating vulnerability disclosures represents a step forward, compliance alone won't stop nation-state cyber threats.

“To be truly effective, FAR requirements must be updated to address known weakness by including requirements for app attestation, API protections, and continuous validation,” said Miracco. “Federal contractors need real security solutions — not just regulatory checkboxes — to defend critical infrastructure against evolving attacks.”

Ken Dunham, cyber threat director at the Qualys Threat Research Unit, explained that these VDP guidelines are based on the framework detailed in NIST SP 800-216.

“Framework-driven operations are more cost effective and better at reducing risk compared to those that are not,” said Dunham. “They also increase visibility and introduce a layer of governance and management that’s not possible without such a framework and iterative approach to processes and controls.”