Ilona Cohen
Chief Legal and Policy Officer

2024 Budget Planning: Preparing For U.S. Mandates to Implement Vulnerability Disclosure Policies (VDPs)

Computer screen showing budgeting sheet

By Ilona Cohen, Chief Legal and Policy Officer
Michael Woolslayer, Policy Counsel

The end of the year approaching means it’s budget season for many organizations. As companies work to finalize their spending plans for the new year, now is the time to ensure your cybersecurity budget is resourced to address growing compliance requirements and to boost cyber resilience. U.S. policymakers are increasingly encouraging and mandating public and private sector organizations to enhance their cybersecurity programs, including through the adoption of Vulnerability Disclosure Policies (VDPs). Have you planned for a VDP in next year’s budget?

New and Upcoming Public Policy on VDPs

VDPs are in the midst of a shift from an industry best practice to a legal requirement. Lawmakers and regulators increasingly understand that VDPs are an effective way to ensure organizations proactively identify and address vulnerabilities before malicious actors exploit them. 

This shift to mandate VDPs is evident in recent U.S. Government action. Several years ago, the government directed federal agencies to implement VDPs, while Congress passed a bipartisan Internet of Things (IoT) Cybersecurity Improvement Act. The IoT Act and guidance in President Biden’s subsequent cybersecurity executive order led to the development of additional standards that, among many other things, require providers of IoT devices to the Federal Government to implement VDPs. 

Despite recent progress, gaps remain. New legislation, the Federal Cybersecurity Vulnerability Reduction Act, would close a gap by mandating VDPs for all federal contractors. The Biden Administration stresses the critical need to reduce software vulnerabilities through the adoption of vulnerability disclosure programs across all technologies and all sectors in the National Cyber Strategy and Implementation Plan. The draft secure software attestation form that any provider of software to the federal government will have to complete requires providers to have a VDP and a process for accepting, reviewing, and addressing vulnerabilities reported by the security research community. Additionally, Congress is considering amendments to the primary U.S. law that establishes cybersecurity requirements for federal information systems, which would require agencies to implement penetration testing and VDPs. 

Engagement with the security research community is increasingly an integral, baseline requirement for organizations’ cybersecurity strategy. The Securities and Exchange Commission (SEC)’s final rule on cybersecurity risk management reinforces this view, as it requires publicly traded companies to disclose in detail their cybersecurity risk management processes in annual reports; a VDP sends a signal to regulators and investors that an organization takes cybersecurity seriously and is taking proactive steps to identify and mitigate vulnerabilities in their systems.

Include a VDP in Your Budget

Given the U.S government’s direction to private and public sector organizations to rely on security researchers, those same organizations must incorporate VDP plans into their business strategies and budgets. A VDP should not be viewed as just a regulatory requirement, but as an investment that boosts cyber resilience, positioning businesses for long-term success. Legal and regulatory trends encourage organizations to embrace the security research community to help pave the way for a safer, more secure digital ecosystem for everyone. To learn more about how to effectively integrate a VDP into your budget, contact the experts at HackerOne.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook