Federal Cybersecurity

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Vulnerability Disclosure Policy

A public policy that authorizes good-faith security research on an organization internet-accessible systems and provides a clear channel for researchers to report what they find. CISA Binding Operational Directive 20-01 (September 2, 2020) requires every federal civilian executive branch agency to publish and maintain a VDP covering all internet-accessible systems and to identify the systems in scope on a published list. The directive draws on ISO/IEC 29147 and codifies the practice that researcher reports are received, triaged, and acted on without legal threat to the researcher.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.