Ilona Cohen
Chief Legal and Policy Officer
Security Compliance,
Public Policy

VDPs Are Good For the Government — and Good For Business

A lock with a colorful color overlay

Last week, Congress introduced the Federal Cybersecurity Vulnerability Reduction Act of 2023, which requires federal contractors to implement a Vulnerability Disclosure Policy (VDP). VDPs are an accepted security best practice that provides clear guidelines for ethical hackers to report vulnerabilities to organizations before cybercriminals exploit them.

Federal contractors play a critical role in supporting the U.S. government. Because of their access to federal systems and data, they have the potential to impact the security of the nation’s broader federal digital ecosystem. Yet, not all companies that do business with the federal government have established programs for identifying and reporting vulnerabilities. This legislation seeks to address this gap. 

“We want to thank Congress for introducing such important legislation. When federal contractors can effectively address security vulnerabilities, every U.S. citizen will be better protected against cyberattacks.”
– Marten Mickos, CEO of HackerOne

The Federal Government Has Embraced Hackers

This legislation builds on the federal government’s strong support for vulnerability disclosure policies as a cybersecurity best practice. Building off the two Administrations before it, the Biden White House recently recognized the importance of coordinated vulnerability disclosure (CVD) in the National Cybersecurity Strategy, calling for it “across all technology types and sectors.” 

The Defense Department has repeatedly engaged the ethical hacker community to identify and address vulnerabilities within their systems. Launched in 2016, Hack the Pentagon began HackerOne’s longstanding relationship with the Department of Defense and other government programs. To date, the Defense Department’s VDPs have identified more than 47,000 valid vulnerabilities. 

In addition to our work with the federal government, we’ve seen how VDPs can improve security for federal contractors. Last year, the Defense Department worked with ethical hackers to strengthen security for the Defense Industrial Base sector. The 41 participating contractors were pleased with the positive, direct impact on their systems, with more than 400 actionable reports reported during the pilot program.

VDPs are an essential ingredient for ensuring the resiliency of federal systems and data and strengthening the nation’s cybersecurity posture. 

Why VDPs Are Good for Business

If you’re a company that conducts business with the federal government, you may be wondering what this legislation could mean for your organization.

VDPs invite a large network of law-abiding individuals to effectively and inexpensively help businesses improve their cybersecurity posture. Hackers know the techniques attackers use to access weak systems and apply that knowledge for good to identify vulnerabilities and report them to organizations.

A VDP provides a public-facing avenue and methodology for these hackers (or anyone) to disclose bugs to an organization before bad actors exploit them. VDPs have many benefits including:

  • Simplifying remediation. VDPs help organizations build a strategy around public disclosure and proactively patch weaknesses before they become public knowledge. By streamlining the remediation process and facilitating communication with the hacker, organizations can more quickly develop a patch and disclose the issue publicly.
  • Clarifying expectations for bug finders. VDPs let the public know what to expect regarding communication, providing transparency about timelines and keeping an open channel with hackers. Miscommunication between hackers and organizations can result in premature disclosure of vulnerabilities before patches are deployed — having a VDP prevents this problem.
  • Building brand trust and reducing the risk of a costly breach. VDPs surface vulnerabilities that can be exploited by bad actors, reducing the chances of a breach that could damage your organization’s reputation. A proactive plan for disclosure also shows your organization takes security seriously, which builds trust with customers and investors.

To learn more about establishing a VDP and how government contractors can meet the proposed requirements of the Federal Cybersecurity Vulnerability Reduction Act, contact the team at HackerOne.