Bill > HR1258

This bill requires information technology (IT) contractors working with the federal government to establish and maintain a comprehensive vulnerability disclosure policy and program. The policy must include details such as which systems are in scope, allowed types of technology testing, guidelines for handling sensitive information, and clear procedures for researchers to submit vulnerability reports anonymously. Contractors must provide a dedicated webpage for vulnerability submissions, outline communication processes with researchers, and set target timelines for addressing reported vulnerabilities. Additionally, contractors must report valid or credible vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA) within 7 days of discovery, particularly those involving commercial software that could potentially impact other government or industry entities. If a vulnerability is discovered that the contractor cannot patch themselves, they must either submit it to the responsible party or direct the researcher accordingly. The bill aims to improve cybersecurity practices by creating a standardized, transparent process for identifying and addressing potential security weaknesses in government IT systems, while protecting researchers who discover and report these vulnerabilities in good faith.

Government Affairs

https://www.congress.gov/bill/119th-congress/house-bill/1258/all-info