Policy Pulse - Issue #11 | Week of April 19, 2026
Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.
Top Story
CIRCIA Final Rule on Collision Course with Funding Lapse as May 2026 Deadline Approaches
CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) final rule, already delayed from October 2025 to May 2026 due to the volume of public comments and harmonization work, now faces additional risk from a DHS appropriations lapse that forced the cancellation of the March 9 through April 2 CIRCIA town halls (Davis Wright Tremaine, CyberScoop). The agency has signaled that continued funding uncertainty will likely push the final rule further, and has rescheduled virtual listening sessions into late April. For practitioners tracking the 72-hour incident and 24-hour ransom payment clocks, the deadline slippage is not just bureaucratic: it stalls the harmonization work that was the stated reason for the delay in the first place.
The rule, when finalized, will define the covered entities, covered incidents, and reporting content that critical infrastructure operators must submit to CISA. It also intersects directly with how internal-facing vulnerability disclosure programs feed incident triage: an unpatched vuln exploited in the wild becomes a reportable event, and VDP intake forms, triage SLAs, and coordinator workflows all need to be CIRCIA-compatible before the clock starts.
Why it matters for VDP: Every VDP program operator should be treating CIRCIA as an integration problem, not a compliance checkbox. When a vulnerability report crosses into “covered cyber incident” territory, your triage workflow has 72 hours from discovery. If your VDP intake, escalation, and corp-sec handoff are not already wired to meet that window, the delay buys you planning time; it does not buy you a pass.
Throwback: In Issue #3, we covered CISA BOD 26-02’s targeting of unsupported products; this week’s CIRCIA timeline pressure is the same theme (federal reporting discipline) playing out on a tighter clock.
Upcoming Deadlines & Events
| Date | Agency | Event/Deadline | Action Required | Link |
|---|---|---|---|---|
| May 6, 2026 | NIST | CSF 2.0 Informative References Quick-Start Guide - public comment closes | Submit comments via CSRC comment portal if your org maps controls to CSF | CSRC Drafts |
| May 2026 (target) | CISA | CIRCIA final rule publication | Review against VDP intake and incident triage workflow | CISA CIRCIA |
| September 2026 | European Commission / ENISA | CRA Article 14 active-exploitation reporting becomes mandatory for manufacturers | Map product lines to Single Reporting Platform; align VDP disclosure timelines | NIS2 Art. 12 explainer |
| December 31, 2026 | United Nations | UN Convention Against Cybercrime closes for signature | Policy teams: track national signature status in operating countries | Just Security analysis |
| 2026 (TBD) | NIST | Initial Public Draft of Cyber AI Profile (NIST IR 8596) expected | Prepare for second comment window; January 2026 preliminary draft closed | NIST IR 8596 iprd |
This Week in Policy
AI & Emerging Tech Security
-
NIST releases AI RMF Profile concept note for Critical Infrastructure (April 7). NIST published a concept note for a Trustworthy AI in Critical Infrastructure Profile, signaling the next tranche of sector-specific AI risk guidance for operators deploying AI-enabled capabilities in energy, water, and transport. (NIST CSRC) Why it matters for VDP: Critical infrastructure AI deployments will need VDP-style receiving channels; the profile will shape what “responsible disclosure” looks like when the asset is a model, not a box.
-
CAISI RFI on agentic AI secure practices remains active. NIST’s Center for AI Standards and Innovation issued a formal Request for Information in January focused on AI systems that take autonomous actions affecting real-world environments. (NIST CSRC 2025 updates) Why it matters for VDP: Agentic systems break the “report a bug, vendor patches, user updates” loop; practitioner input here directly shapes how federal guidance treats agent misbehavior as a disclosure event.
Federal Strategy & Regulation
- CIRCIA town halls rescheduled after funding lapse. DHS appropriations problems forced CISA to cancel the March 9 to April 2 in-person CIRCIA engagements; virtual sessions have been rescheduled for late April. (CyberScoop) Why it matters for VDP: The listening sessions are where VDP operators can flag integration concerns (the intersection of voluntary disclosure with mandatory reporting) before the rule freezes.
CVE & Vulnerability Programs
-
ENISA frames EU coordinated vulnerability disclosure as “now an obligation.” In an April 15 interview, ENISA’s Nuno Rodrigues Carvalho said cultural change across EU Member States will take years even though CVD is legally required under NIS2 Article 12 and the CRA. (Help Net Security) Why it matters for VDP: If you run a VDP with EU customers or EU-sold product lines, the implementation gap between legal requirement and operational reality is where your intake channel gets volume; plan capacity accordingly.
-
European Vulnerability Database (EUVD) live and accepting queries. ENISA’s EUVD, the NIS2-mandated registry, is operational and supported by ENISA’s CVE Numbering Authority role. (ENISA) Why it matters for VDP: EUVD is a second global authority alongside NVD; disclosure coordinators now have two primary references to keep in sync.
Legal & Researcher Protections
- UK government reaffirms pledge to rewrite the Computer Misuse Act. Following the earlier defeat of the Holmes/Clement-Jones amendments to the Data (Access and Use) Bill, the UK government has formally committed to rewriting the 35-year-old CMA to protect legitimate cyber threat research. Research cited in the coverage found 80% of UK cyber professionals have worried about breaking the law while doing their jobs. (Computer Weekly) Why it matters for VDP: This is the most concrete Five Eyes movement toward a statutory good-faith defence we’ve seen in the 35-year life of the CMA; watch for scope (will it cover threat intel gathering, or only VDP-style research?) and timing in the coming Home Office consultation.
International Developments
- UN Convention Against Cybercrime signature window counting down. The UN Convention, opened for signature October 25-26, 2025 in Hanoi, remains open for signature and ratification through December 31, 2026. Thirty-two Budapest Convention parties have already signed the UN text. (Just Security, Digital Watch) Why it matters for VDP: The treaty creates parallel (not replacement) authority alongside Budapest; researcher-facing carve-outs and safeguards vary by national implementation, so the country-by-country ratification cycle is where the real impact lands.
Friends of disclose.io
Copper Horse / IoT Security Foundation: The State of Vulnerability Disclosure Policy Usage in Global Consumer IoT in 2025
The 8th edition of Copper Horse and IoTSF’s longitudinal VDP adoption study, published in January 2026, remains the most rigorous public measurement of whether consumer IoT manufacturers are actually standing up disclosure channels. The 2025 cut shows 40.53% of 491 manufacturers in the dataset now provide a way for security researchers to contact them about vulnerabilities, up 4.94 percentage points from 2024’s 35.59%. That is forward motion, and it is also a reminder that nearly six in ten IoT vendors still offer no public contact method at all.
The bright spot is retail: across 15 major global retailers, more than 60% of sampled popular manufacturers now have a VDP. The authors credit the UK’s Product Security and Telecommunications Infrastructure (PSTI) regulations (in force since April 2024), which demand clear vulnerability disclosure mechanisms and transparency on security support periods. It is direct evidence that regulation moves the VDP adoption curve where voluntary advocacy alone has stalled.
Key findings:
- 40.53% VDP adoption across 491 consumer IoT manufacturers (up from 35.59% in 2024)
- More than 60% adoption among manufacturers stocked by 15 major global retailers
- Visible impact of the UK PSTI regulations as a forcing function
- EU CRA mandatory exploitation reporting (24/72-hour windows) begins September 2026, likely accelerating the curve again
Copper Horse and IoTSF have been running this study since 2018. It is the single best longitudinal signal we have for whether policy interventions are actually moving the needle on IoT VDP adoption, and it deserves a wider audience every year.
Worth Reading
- Coordinated vulnerability disclosure is now an EU obligation, but cultural change takes time (Help Net Security, April 15): ENISA’s Nuno Rodrigues Carvalho on the gap between legal obligation and operational reality across Member States; required reading for anyone running a VDP with EU exposure.
- Patching the CFAA so Researchers No Longer Pay (Cybaris Law Review): A rigorous legal argument for statutory, not prosecutorial, CFAA safe harbor. Pairs well with the UK CMA reform news as a compare-and-contrast on how different legal systems are approaching the same problem.
- The (still) unanswered questions around the CFAA and ‘good faith’ security research (SC Media): Useful practitioner-level review of what the 2022 DOJ guidance actually protects (not much) and what it does not (civil suits, state laws).
- Comparative analysis: the Budapest Convention vs the UN Convention Against Cybercrime (Digital Watch Observatory): Side-by-side on dual-track international cybercrime regimes, with attention to research-relevant safeguards.
Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.
Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!