CISA Releases Draft of Binding Operational Directive on Developing a Vulnerability Disclosure Policy

Last Revised

The Cybersecurity and Infrastructure Security Agency (CISA) has released a draft of Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy. BOD 20-01 will require each federal agency to publish a vulnerability disclosure policy (VDP). CISA has posted the draft directive for public feedback. The deadline for submitting comments is 11:59 PM EST on December 27, 2019.


CISA encourages users and administrators to review the CISA blog post, Improving Vulnerability Disclosure Together, and draft BOD 20-01 for more information. CISA encourages feedback on draft BOD 20-01 from individuals with personal or institutional expertise in vulnerability disclosure and from organizations that have a VDP and manage coordinated vulnerability disclosures.

This product is provided subject to this Notification and this Privacy & Use policy.