WASHINGTON D.C., MAY 15, 2024 – Today, the House Oversight and Accountability Committee marked a significant milestone in bolstering the nation's cybersecurity defenses with the completion of its markup of the Federal Cybersecurity Vulnerability Reduction Act (H.R.5255). This pivotal legislation mandates federal contractors adopt a Vulnerability Disclosure Policy (VDP), aligning with the already established National Institute for Standards and Technology (NIST) guidelines. HackerOne, which led 18 other companies in urging Congressional leadership to pass the legislation, commends the Committee’s vote to advance the bill.

“We applaud Chairman Comer and Ranking Member Raskin for moving the Federal Cybersecurity Vulnerability Reduction Act to the next step in the process. This legislation will protect consumers and critical infrastructure by helping ensure that federal contractors are able to leverage the amazing security researcher community to effectively address security vulnerabilities,” said Marten Mickos, CEO of HackerOne.

The absence of universally adopted VDPs among government contractors has posed a critical gap in cybersecurity readiness. Despite the remarkable strides made by federal agencies in implementing VDPs, and the National Cyber Strategy call for VDPs “across all technology types and sectors,” many government contractors have yet to embrace this essential cybersecurity practice. This legislation is poised to bridge this divide by ensuring federal contractors establish a process aligned with industry best practice to receive and address security vulnerabilities before they can be exploited by malicious actors. 

Federal contractors play a crucial role in federal supply chains and infrastructure, but they also present a distinct security risk due to their close proximity and access to government data and networks. H.R.5225 will help ensure businesses are actively protecting government systems from potential exploits and maintaining the integrity of sensitive data. 

“We commend Chairman Comer and Ranking Member Raskin for marking up the Federal Cybersecurity Vulnerability Reduction Act this week. VDPs are a proven cost effective tool to help organizations identify and fix vulnerabilities in their systems before they are exploited. The federal government’s systems cannot be secured unless contractor systems have also been secured. This legislation will improve the cybersecurity of the businesses that support the federal government” said Ilona Cohen, Chief Legal and Policy Officer of HackerOne. 

Read more about adoption best practices and the benefits of VDPs here.

About HackerOne

HackerOne is the global leader in human-powered security. HackerOne leverages human ingenuity to pinpoint the most critical security flaws across your attack surface to outmatch cybercriminals. The HackerOne Platform combines the most creative human intelligence with the latest artificial intelligence to reduce threat exposure at all stages of the software development lifecycle. From meeting compliance requirements with pentesting to finding novel and elusive vulnerabilities through bug bounty, HackerOne’s elite community of ethical hackers helps organizations transform their businesses with confidence. HackerOne has helped find and fix vulnerabilities for sector leaders including Coinbase, General Motors, GitHub, Goldman Sachs, Hyatt, PayPal, and the U.S Department of Defense.