CISA Releases Final Binding Operational Directive on Developing a Vulnerability Disclosure Policy

Original release date: September 3, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy (VDP). BOD 20-01 requires each federal agency to publish a VDP. Publication of agency VDPs will make it easier for users to report vulnerabilities they find in the Federal Government’s internet-accessible systems. CISA released a draft version of BOD 20-01 for public comment in December 2019 and incorporated many of the received suggestions in the final version.

CISA encourages users to review BOD 20-01 and the CISA blog post, Improving Vulnerability Disclosure Together (Officially) for more information.

This product is provided subject to this Notification and this Privacy & Use policy.