A bill that is working its way through Congress might end up providing a general boom for cybersecurity vulnerability research, and is now in the hands of the Senate after passing the House. The “Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025” establishes vulnerability disclosure program guidelines and requirements for federal agency contractors, but the effects could be further-reaching.
Vulnerability disclosure program formally encourages security researcher contributions
After a little over two years of wrangling, the vulnerability disclosure program bill is moving on and is generally seen as having a very good chance of passing due to bipartisan interest and support. It was also boosted by the lobbying of a coalition of tech and cybersecurity firms, with Microsoft at their head. The lede for security researchers is that federal contractors will be more in need of their services, the reporting process can be expected to be significantly improved, and more bug bounties may be available. This might also have a spillover effect to non-government organizations as the new standards are put into place and feedback from “white hat” hackers becomes even more normalized at the highest levels.
The vulnerability disclosure program bill was first proposed in mid-2023 by representatives Nancy Mace (R-SC) and Shontel Brown (D-OH) and endorsed by the House Oversight committee in 2024. Though it has moved along somewhat slowly, the bill has a bipartisan companion in the Senate with similar support and is very likely to pass in the near future.
Vulnerability disclosure programs have long been somewhat problematic at the federal level, due in part to lack of formal policy and in part to hesitation caused by the Computer Fraud and Abuse Act (CFAA) and other relevant laws and regulations. The bill is a big step toward formally opening the doors of federal agencies to ethical hacking assistance. Support for “white hat” involvement has been gradually growing since 2016’s initial “Hack the Pentagon” event was successful, followed up by a sequel and now set for a third installment sometime in the near future.
OMB, CISA working on new guidelines
If the law passes the Office of Management and Budget (OMB) will be developing the specifics along with CISA and the Office of the National Cyber Director (ONCD). The Defense Department would also be engaged with its own vulnerability disclosure program, which has special requirements for its contractors due to the secret and classified materials in play.
The bill likely will be passed, as the emphasis in government is on defense from China and Russia’s state-backed hackers and that is a major point of focus for both Republicans and Democrats at present. The guidelines will be based on existing NIST guidelines for disclosure within federal agencies as well as the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS). Some smaller contractors would be exempt, however; those at a contract level beneath $250,000, unless they work directly with or maintain a federal agency’s internal systems.
Adoption of the vulnerability disclosure program is still not quite guaranteed, but is poised to create a ripple effect across the broader cybersecurity market if it is. It is highly likely to push broad adoption of vulnerability disclosure programs (VDPs) which in turn both provides incentives to security researchers and makes the reporting process easier on them. That ultimately leads to more timely cutoff of vulnerabilities and fewer attacks across the board.
