Executive Order Moves to Require Vulnerability Disclosure by Contractors, Raising the Bar on Federal Cybersecurity

WASHINGTON, D.C., June 22, 2026 – Today, the White House released the “Securing The Nation Against Advanced Cryptographic Attacks,” marking a significant shift in cybersecurity policy by moving to require that covered contractors implement vulnerability disclosure programs (VDPs). This continues the movement of VDPs from best practice to a requirement for contractors and reflects the growing expectation of transparency across the public sector.

“The Executive Order’s inclusion of vulnerability disclosure policies is a clear signal: if you do business with the federal government, you’re part of the federal attack surface and must be part of its defense,” said Ilona Cohen, chief legal and policy officer at HackerOne and former general counsel of the White House Office of Management and Budget (OMB).

“You can’t protect federal IT systems by securing agencies alone,” Cohen continued. “Federal networks are only as resilient as the contractors supporting them. This Executive Order moves to close a long-standing gap by making vulnerability disclosure programs a baseline requirement for private companies that access federal data and systems. OMB has required agencies to run these programs since 2020 to identify and fix weaknesses before adversaries exploit them. That need is only becoming more urgent as frontier AI models accelerate vulnerability discovery and shorten the window between identification and exploitation. Extending that requirement to contractors will strengthen federal defenses by creating a clear, safe path for good-faith vulnerability reports to reach the teams that can fix them. Security leaders supporting the government should treat VDP implementation as operational readiness for federal contracting.”

The EO builds on the National Cyber Strategy released on March 6, 2026, and comes as federal agencies and contractors contend with expanding software supply chains, increased reliance on AI-enabled systems, and the rapid acceleration of AI-assisted vulnerability discovery. As advanced AI models make it easier to identify and weaponize software weaknesses, organizations face growing pressure to validate and remediate vulnerabilities more quickly. Together, these dynamics have heightened the need for coordinated, good-faith reporting channels that surface real-world vulnerabilities before adversaries can exploit them. Coordinated disclosure and open channels for vulnerability reporting, such as VDPs, are essential as America modernizes its IT infrastructure, including the cryptographic foundations the EO now brings within scope.

HackerOne has for years advocated for stronger, standardized VDPs. HackerOne led a coalition of top technology companies, including Microsoft and GitHub, urging Congress to strengthen the cybersecurity resilience of the federal government and its contractors by requiring VDPs. HackerOne has also helped the Department of Defense operationalize disclosure in high-stakes environments, including running their VDP and the Defense Industrial Base program. That experience has informed our policy advocacy, including our support for the bipartisan Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 (currently included in the House of Representatives’ version of the FY27 National Defense Authorization Act [NDAA]). HackerOne continues to collaborate with lawmakers, security researchers, and global government leaders to build disclosure pathways that are safe, structured, and capable of supporting the increased volume and velocity of vulnerability discovery in the AI era. 

About HackerOne

HackerOne is a global leader in Continuous Threat Exposure Management (CTEM) and the only solution provider that pairs the simultaneous trust of the Fortune 500 and the world's largest community of security researchers to secure the AI-native enterprise. The H1 Platform unites agentic AI solutions with security researchers ingenuity to continuously discover, validate, prioritize, and remediate exposures across code, cloud, and AI systems. Through solutions like bug bounty, vulnerability disclosure, agentic pentesting, AI red teaming, and code security, HackerOne delivers measurable, continuous reduction of cyber risk for enterprises. Industry leaders, including Anthropic, Crypto.com, General Motors, Goldman Sachs, Lufthansa, Uber, UK Ministry of Defence, and the U.S. Department of Defense, trust HackerOne to safeguard their digital ecosystems. HackerOne was recognized in Gartner’s Emerging Tech Impact Radar: AI Cybersecurity Ecosystem report for its leadership in AI Security Testing.