Executive Order Raises the Bar on Federal Cybersecurity by Requiring Contractors to Enable Vulnerability Disclosure

WASHINGTON, D.C., [DATE] – Today, the White House released the [INSERT EXECUTIVE ORDER TITLE], marking a significant shift in cybersecurity policy by requiring federal contractors to implement vulnerability disclosure programs (VDPs). This action shifts VDPs from a recommended best practice to a required element of cybersecurity policy for federal contractors and reflects the growing expectation for transparency in how risk is managed across the public sector.

“The Executive Order’s inclusion of vulnerability disclosure policies is a clear signal: if you do business with the federal government, you’re part of the federal attack surface and must be part of its defense,” said Ilona Cohen, chief legal and policy officer at HackerOne and former general counsel of the White House Office of Management and Budget (OMB).

“You can’t protect federal IT systems by securing agencies alone,” Cohen continued. “Federal networks are only as resilient as the contractors supporting them. This Executive Order closes a long-standing gap by making vulnerability disclosure programs a baseline requirement for private companies that access federal data and systems. OMB has required agencies to run these programs since 2020 to identify and fix weaknesses before adversaries exploit them. Extending that requirement to contractors strengthens federal defenses by creating a clear, safe path for good-faith vulnerability reports to reach the teams that can fix them. Security leaders supporting the government should treat VDP implementation as operational readiness for federal contracting.”

The EO builds on [the National Cyber Strategy released on XX] and comes as federal agencies and contractors contend with expanding software supply chains, increased reliance on AI-enabled systems, and a faster-moving threat landscape. Together, these dynamics have heightened the need for coordinated, good-faith reporting channels that surface real-world vulnerabilities before adversaries can exploit them. Coordinated disclosure and open channels for vulnerability reporting, such as VDPs, are essential as America modernizes its IT infrastructure.

HackerOne has for years advocated for stronger, standardized VDPs. HackerOne led a coalition of top technology companies, including Microsoft and GitHub, urging Congress to strengthen the cybersecurity resilience of the federal government and its contractors by requiring VDPs. HackerOne has also helped the Department of Defense operationalize disclosure in high-stakes environments, including running their VDP and the Defense Industrial Base program. That experience has informed our policy advocacy, including our support for the bipartisan Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025. HackerOne continues to collaborate with lawmakers, security researchers, and global government leaders to build disclosure pathways that are safe, structured, and scalable.

About HackerOne

HackerOne is a global leader in Continuous Threat Exposure Management (CTEM). The HackerOne Platform unites agentic AI solutions with the ingenuity of the world’s largest community of security researchers to continuously discover, validate, prioritize, and remediate exposures across code, cloud, and AI systems. Through solutions like bug bounty, vulnerability disclosure, agentic pentesting, AI red teaming, and code security, HackerOne delivers measurable, continuous reduction of cyber risk for enterprises. Industry leaders, including Anthropic, Crypto.com, General Motors, Goldman Sachs, Lufthansa, Uber, UK Ministry of Defence, and the U.S. Department of Defense, trust HackerOne to safeguard their digital ecosystems. HackerOne was recognized in Gartner’s Emerging Tech Impact Radar: AI Cybersecurity Ecosystem report for its leadership in AI Security Testing and has been named a Most Loved Workplace for Young Professionals (2024).