HackerOne and Other Leading Technology Companies Urge Congress to Retain Critical Bipartisan Cybersecurity Language in National Defense Authorization Act

November 13th, 2025

WASHINGTON, D.C., NOVEMBER 13, 2025 – HackerOne today led a group of top technology companies in urging Congressional leadership to retain Section 1514 of the House-passed Fiscal Year 2026 National Defense Authorization Act to improve the cybersecurity resilience of the federal government and its contractors. The provision addresses a longstanding gap in the federal government’s defensive posture by ensuring that federal contractors are equipped to protect against increasingly sophisticated threats.

“Foreign actors have escalated cyber attacks on the federal government and our nation’s critical infrastructure,” said Ilona Cohen, chief legal and policy officer of HackerOne. “While federal agencies have adopted vulnerability disclosure policies to protect sensitive data from exploitation, this legislation is needed to bring the practices of federal contractors up to the same standards of the agencies they serve.”

Federal contractors and subcontractors play a crucial role in supporting the government's operations and often handle sensitive government information and personal data. As a result, they are frequent targets for cyberattacks by hackers seeking to exploit vulnerabilities to gain access to government information and disrupt mission-critical operations.

Under Sec. 1514, federal contractors would be required to implement a Vulnerability Disclosure Policy (VDP) as a means to receive disclosures of security vulnerabilities in their software and systems. This would ensure that, despite the continuously evolving threat landscape, contractors are equipped to address security vulnerabilities proactively, implementing necessary patches or other mitigations as needed to protect critical systems before they can be exploited. According to the White House Office of Management and Budget, vulnerability disclosure policies “are among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment.”

Sec. 1514 of the House-passed NDAA enjoys strong bipartisan support in both the House and Senate. It mirrors the language of H.R. 872, the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, introduced by Reps. Nancy Mace (R-SC) and Shontel Brown (D-OH), which passed the House by voice vote in March. The bipartisan Senate companion bill, S. 1899, was introduced by Sens. Mark Warner (D-VA) and James Lankford (R-OK) in May, reflecting shared recognition across party lines that federal contractor security is inseparable from national security.

About HackerOne

HackerOne is a global leader in Continuous Threat Exposure Management (CTEM). The HackerOne Platform unites agentic AI solutions with the ingenuity of the world’s largest community of security researchers to continuously discover, validate, prioritize, and remediate exposures across code, cloud, and AI systems. Through solutions like bug bounty, vulnerability disclosure, agentic pentesting, AI red teaming, and code security, HackerOne delivers measurable, continuous reduction of cyber risk for enterprises. Industry leaders, including Anthropic, Crypto.com, General Motors, Goldman Sachs, Lufthansa, Uber, UK Ministry of Defence, and the U.S. Department of Defense, trust HackerOne to safeguard their digital ecosystems. HackerOne was recognized in Gartner’s Emerging Tech Impact Radar: AI Cybersecurity Ecosystem report for its leadership in AI Security Testing and has been named a Most Loved Workplace for Young Professionals (2024).