"CISA Pushes Vulnerability Disclosure Policies"

The U.S. Homeland Security Department's Cybersecurity & Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) ordering federal executive branch departments and agencies to develop and publish vulnerability disclosure policies (VDPs). A BOD is a compulsory direction in support of safeguarding federal information and information systems. BOD 20-01 requires most executive branch agencies to publish a VDP as a public web page within 180 calendar days after this directive's issuance. The VDP must include which systems are in scope, what types of testing are allowed, a description of how to submit vulnerability reports, and more. This article continues to discuss the finalization, requirements, and importance of the new directive.

Infosecurity Magazine reports "CISA Pushes Vulnerability Disclosure Policies"