The House of Representatives has passed a bill aimed at requiring federal contractors to have a vulnerability disclosure policy (VDP).
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 instructs the Office of Management and Budget (OMB) to consult with CISA, the Office of the National Cyber Director, NIST, and other relevant departments, and require federal contractors to have a VDP that is consistent with NIST guidelines.
The bill also instructs the Defense Department to require defense contractors to adopt similar policies.
The goal is to make it easier for individuals and companies who find vulnerabilities in contractors’ systems to responsibly disclose them.
Just days before the bill passed the House, several major cybersecurity and tech companies signed a letter urging the House and Senate to approve the legislation.
“Contractors, given the vast amount of sensitive data they handle, are prime targets for cyber threats. As a result, the bill ensures all companies contracting with the federal government adhere to security best practices,” reads the letter signed by HackerOne, Bugcrowd, Microsoft, Infoblox, Rapid7, Trend Micro, Tenable and Schneider Electric.
“The bill builds upon existing policies that have encouraged the adoption of VDPs, promoting a proactive approach to cybersecurity and helping protect critical systems before they can be exploited,” it continues.
Lawmakers have been trying to pass this bill for the past two years. It was first introduced by Representative Nancy Mace (R-SC) in 2023, with a companion version introduced in 2024 by senators Mark R. Warner (D-VA) and James Lankford (R-OK).
The bill received approval from the House Committee on Oversight and Accountability in May 2024 and was later incorporated into the National Defense Authorization Act (NDAA).
The legislation is now in the Senate, where it has been referred to the Committee on Homeland Security and Governmental Affairs.
Related: Senate Passes Bill to Protect Kids Online and Make Tech Companies Accountable for Harmful Content
Related: House Passes Bill Barring Sale of Personal Information to Foreign Adversaries
Related: California Governor Vetoes Bill to Create First-in-Nation AI Safety Measures