The United States House of Representatives has passed a bill to the Senate that would require federal contractors to create a vulnerability reporting scheme (VDP ). The goal of this act is to help individuals and organizations in attempts to properly share discovered vulnerabilities in contractors ‘ systems.  ,
This is a bipartisan bill introduced by Nancy Mace (R-S. C. ), Chairwoman of the Cybersecurity, Information Technology, and Government Innovation Subcommittee, and Shontel Brown (D-O. H. ), Ranking Member of the subcommittee.  ,
The bill, called the , mandates the Office of Management and Budget ( OMB) consults with CISA, NIST, the Office of the National Cyber Director, and other related departments. However, it may involve the VDPs of federal contractors to remain consistent with NIST instructions.  ,
A group of computer and technical organizations the moving of this legislation. Above, computer experts share their thoughts on this bill.  ,
Safety officials weigh in ,
Trey Ford, Chief Information Security Officer at Bugcrowd:
Every business building or implementing technology and services needs a VDP, and this is a major breakthrough in aligning companies with industry best practices. Finally, the performance of a VDP is the best physical surrogate marker for achievement of a company’s security program. Establishing a VDP is necessary to create a safe harbor for users and researchers to report security concerns in good faith — a challenge that still exists in U. S. laws ( CFAA, DMCA, etc… ), and is of particular concern for researchers when interacting with governmental targets.
Mr. Piyush Pandey, CEO at Pathlock:
While ensuring software risk is managed properly is important, it’s only one risk dimension and perhaps not the most essential. Over the last five times driven by digital development, illicit identity-related access to critical applications at the purchase amount has introduced much more risk. In fact, open company filings from 2021 to 2023 report double-digit increases in both major deficiencies, and more importantly product weaknesses. In short, while managing risks is required, controlling illicit identity-related access to essential applications is also required to manage the most critical business challenges today.
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:
VDP guidelines are based on to help manage risk related to reporting security vulnerabilities in software and information systems owned or utilized by the Federal Government. defines the terminology, coordination, scope, triage and prioritization of vulnerability information, the management of advisory information and public disclosure, and the relevant stakeholders. It also addresses how VDP offices (VDPO ) are to be managed and run.  ,
The intended outcome of VDPO oversight and use of this framework is to increase visibility and compliance for in the Federal Government. This bill is focused on operational components of how vulnerability information is managed and disclosed to ensure compliance and oversight.
Framework-driven operations are more cost effective and better at reducing risk compared to those that are not. They also increase visibility and introduce a layer of governance and management that is not possible without such a framework and iterative approach to processes and controls.
Elad Luz, Head of Research at Oasis Security:
A VDP serves as an essential framework for fostering communication and building trust between security researchers and vendors. When security researchers identify vulnerabilities or weaknesses in a vendor’s product, a VDP helps define the ethical and responsible actions to take. It also outlines the vendor’s commitment, responsibility and responsiveness toward addressing those vulnerabilities.
Security researchers encounter vulnerabilities daily. The more vendors adopt VDPs, the more likely researchers are to report their findings responsibly, helping to mitigate risks before malicious actors can exploit them. By providing a safe and structured process, VDPs contribute to a more secure digital ecosystem. Furthermore, vendors with VDPs may choose to publicly acknowledge and credit researchers for their findings. In some cases, vendors may even offer monetary rewards or bounties, which serves as an incentive for to continue contributing to the security of the vendor’s products.
With the increasing frequency of credential leaks, VDPs provide a vital mechanism for security researchers to report incidents involving exposed credentials, whether they belong to human or non-human identities ( e. g., service accounts, API keys ). This helps the vendor to promptly address the issue, prevent unauthorized access and protect their users from further harm.
Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet:
This bill aims to harmonize and streamline the vulnerability disclosure practices of companies offering essential digital services to the federal government with the internal practices already adopted by federal agencies. By doing so, it enhances the security and consistency of federal networks. Additionally, as many of these companies also serve private sector customers, the bill is likely to improve cybersecurity across the broader market, extending its benefits beyond just the federal market.  ,
Casey Ellis, Founder at Bugcrowd:
This bill transforms VDPs and the reception of hacker feedback from a “nice-to-have” into a mandatory FAR/DFAR procurement requirement. Building on strong VDP adoption within the U. S. Government through initiatives such as Hack the Pentagon and various congressional and DHS/OMB directives ( including BOD 20-01 ), this bill joins the IoT Cybersecurity Act as one of the few directives leveraging procurement to ensure widespread VDP implementation. It also acknowledges VDP as best practice, driving alignment with ISO and NIST standards and further normalizing the relationship between the Federal Government, its supplier ecosystem, and the good-faith hacker community.
By making VDP a procurement requirement, the bill will accelerate the acceptance of hacker feedback within the U. S. Government and among the many contractors and vendors that support federal agencies. This legislation mandates that all companies contracting with the federal government adhere to recognized security best practices, elevating the overall standard of cybersecurity across federal supply chains. The bill highlights the U. S. Government’s growing recognition of the essential role hackers and security researchers play in safeguarding cyberspace, legitimizing ethical hackers — likened to “locksmiths” rather than “burglars” — in their efforts to protect critical systems.
Arriving at a pivotal moment for U. S. cybersecurity, particularly in federal and government-run infrastructure, this bill harnesses” all the brains we have, and all the brains we can borrow”. It lays the groundwork for deeper, more productive collaboration between the U. S. Government, its contractors and suppliers, and the ethical hacking community.  ,
Representatives Nancy Mace (R-S. C. ) and Shontel Brown (D-O. H. ) introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025. It was first proposed in August 2023 and has since garnered extensive bipartisan support.  ,
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 has strong bipartisan support and is generally seen as uncontroversial. In part, this is due to the broadly-known success of the program and other Directives such as , as well as the fact that vulnerability disclosure is pretty well-socialized on Capitol Hill at this point. It should, pending any dramatic shifts in sentiment or process, pass through to law later this year.