Sponsors
The bill strengthens federal cybersecurity by requiring vendor vulnerability disclosure and coordinated reporting, but does so at the cost of higher compliance burdens (especially for small vendors) and lingering timing and legal risks for researchers and third parties.
Federal agencies and the public: contractors must publish and follow vulnerability disclosure policies and report vulnerabilities to CISA/CVE/NVD, improving discovery and patching of government-facing systems.
Security researchers/testers: contractors commit not to demand PII and to refrain from suing for good-faith accidental testing, reducing legal risk for legitimate testers.
Agencies, contractors, and citizens: standardized reporting timelines and obligations to submit CVEs increase transparency and accountability for remediation, helping prioritize fixes that affect services and taxpayers.
Taxpayers and government procurement: contractors face added compliance costs to design, publish, maintain, and report under VDPs, which can raise contract prices and impose a heavier burden on small vendors or subcontractors, potentially narrowing the vendor pool.
Third parties and some users: mandatory reporting to CISA and withholding public disclosure until remediation may delay public disclosure and leave other parties exposed during the remediation window.
Security researchers: contractor non‑prosecution/notification commitments may not fully shield researchers from third‑party lawsuits or court actions, leaving residual legal and financial risk.
Based on analysis of 2 sections of legislative text.
Introduced February 12, 2025 by Ted Lieu · Last progress February 12, 2025
Requires information-technology contractors that do business with executive agencies to publish and maintain a vulnerability disclosure policy and program as a condition for entering IT contracts. Contractors must describe which systems are in-scope, rules for allowed testing, how sensitive data is handled, procedures and timelines for receiving and resolving reports, host a public submission page, avoid requiring researchers' personal data, and promise not to bring civil suits for good-faith accidental testing. Mandates timely reporting to the Cybersecurity and Infrastructure Security Agency (CISA): contractors must notify CISA within 7 days after publishing their policy and submit certain credible reports of previously unknown public vulnerabilities (affecting other government or industry parties) once a patch or mitigation is available; CISA must coordinate and, where appropriate, submit entries to the MITRE CVE list and the NIST National Vulnerability Database.