Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.
Top Story
Federal Contractor VDP Mandate Advances to Senate
The Federal Contractor Cybersecurity Vulnerability Reduction Act (H.R. 872) passed the House by voice vote and awaits Senate action. Bipartisan sponsors—Senators Warner (D-VA) and Lankford (R-OK)—introduced the Senate companion (S.1899), which would mandate OMB and DoD require vulnerability disclosure policies across all federal contractors.
This legislation could reshape the VDP ecosystem significantly. Federal contractors operate across defense, healthcare, finance, and technology sectors. Many lack formal channels for researchers to report vulnerabilities. Enactment could generate more new VDP programs than any prior policy initiative.
Significance for VDP: Security researchers would gain standardized disclosure pathways with government supply chain vendors. Organizations with federal contracts should begin building VDP infrastructure now.
Upcoming Deadlines & Events
- Feb 23: NIST Transit CSF Profile (IR 8576) — Submit comments
- Feb 23: NIST SP 800-82 Rev 4 (OT Security) — Submit pre-draft input
- Mar 1: CISA F5 ED 26-01 compliance deadline
- Mar 9: NIST AI Agent Security RFI — Submit via regulations.gov
- Mar 16: MITRE CVE contract expiration (monitor for extension/transition)
- Mar 19: NY RAISE Act effective date
- Apr 2: NIST AI Agent Identity Paper — Submit comments
- Aug 2: EU AI Act enforcement begins
- Sep 11: EU CRA vulnerability reporting requirements begin
This Week in Policy
Federal Strategy & Regulation
CISA Issues Edge Device Directive — BOD 26-02 mandates federal agencies inventory, patch, and eliminate end-of-support edge devices within 18 months. (CISA BOD 26-02)
National Cyber Director Previews Six-Pillar Strategy — Sean Cairncross outlined adversary behavior shaping, regulatory streamlining, federal system security, critical infrastructure protection, technology dominance maintenance, and workforce gap closure. (MeriTalk)
CIRCIA Rule Delayed to May 2026 — Final cyber incident reporting rule postponed to address industry concerns. (CyberScoop)
CVE & Vulnerability Programs
CISA Publishes CVE “Quality Era” Roadmap — Diversified funding, infrastructure modernization, and expanded ADP capabilities. (CISA)
Zero-Day Window Shrinking — VulnCheck reports 29% of exploited vulnerabilities faced attacks on or before CVE publication day. (VulnCheck)
MITRE Funding Cliff Approaches — CVE program contract expires March 16, 2026.
AI & Emerging Tech Security
Singapore Launches World’s First Agentic AI Framework — National governance framework for agentic AI systems addressing risk assessment, human accountability, and MCP security. (IMDA)
NVIDIA Red Team Publishes Agent Security Controls — Mandatory security framework for AI coding agents addresses prompt injection and sandbox escape. (NVIDIA Developer Blog)
New York RAISE Act Takes Effect March 19 — Frontier AI developers spending >$100M on compute must implement safety frameworks with 72-hour incident reporting.
NIST Releases AI Agent Identity Paper — Addresses securely identifying and authorizing AI agents. (NCCoE Project Page)
Legal & Researcher Protections
HackerOne Launches AI Research Safe Harbor — Industry framework extends legal protections to researchers testing AI systems. (HackerOne)
UK Pledges Computer Misuse Act Rewrite — Home Secretary committed to creating a “statutory defence” for security researchers. (Computer Weekly)
International Developments
EU CRA Vulnerability Reporting Begins September 2026 — 24-hour early warning and 72-hour full notification requirements.
NIS2 Amendments Proposed — Clarify jurisdiction, streamline ransomware reporting, strengthen ENISA’s role. (DLA Piper)
UN Cybercrime Treaty Stalls — 74 signatories, zero ratifications. Requires 40 to take effect.
Friends of disclose.io
Copper Horse / IoT Security Foundation: The State of Vulnerability Disclosure in Global Consumer IoT (2025)
40.53% of global IoT manufacturers now provide researcher contact mechanisms—up from 35.59% in 2024. Nine of 15 retailers achieved >80% VDP adoption. Three UK retailers reached 100%.
Download full report (PDF, CC BY 4.0)
Worth Reading
- METR: Frontier AI Safety Regulations Reference — Unified reference mapping requirements across California SB 53, EU AI Act, and NY RAISE Act.
- The Register: Red Teaming Becomes Legal Requirement — EU AI Act enforcement transforms red teaming from best practice to legal mandate.
- The Record: Spyware Makers Hijacking Pall Mall Process — NSO Group uses diplomatic participation to rehabilitate reputation.
Originally published on disclose.io Substack. Subscribe for weekly updates!