State and local government systems are under constant threat. Ransomware, nation-state actors, and opportunistic attackers don’t distinguish between federal and local targets—and the numbers reflect the danger. In 2024, 60% of state and local governments experienced a cyberattack, seeing a 51% increase in ransomware incidents, a 148% surge in malware attacks, and a 300%+ increase in endpoint security incidents.
At the federal level, proactive responses are already mandated. Binding Operational Directive 20-01 requires all civilian federal executive branch agencies to publish a vulnerability disclosure program (VDP). CISA has distributed nearly $1 billion through the State and Local Cybersecurity Grant Program to push state and local governments toward stronger, proactive security measures.
And yet many state and local agencies still haven’t launched a VDP. Given that there are quite a few misconceptions and myths about VDPs, this blog aims to debunk three main myths we hear regularly from state and local government security teams.
This myth assumes that researchers and threat actors are primarily motivated by the same incentive: money. The reality is far different. Security researchers and cybercriminals are distinct groups with fundamentally different value systems and motivations.
For instance, many researchers submit to VDPs to build a verifiable track record—a portfolio of responsible disclosures that demonstrates skill and credibility to prospective employers. Others are driven by curiosity, the challenge of a problem, or the satisfaction of making systems more secure. Researchers who focus specifically on public sector infrastructure are often motivated by the civic dimension: These are the systems that handle voting, benefits, emergency services, and public records. Protecting them matters to the people who know how to break them.
The data reflects this reality. According to Bugcrowd’s Inside the Mind of a Hacker 2026 report, which surveys more than 2,000 hackers, 85% say that reporting a critical vulnerability is more important than making money from it. This is because hackers view hacking not just as a way to make a living but also as a way to fulfill a deeper purpose. In fact, 95% view hacking as an art form, and 98% are proud of their work.
However, the same survey shows that 65% of hackers have found a vulnerability and chosen not to report it because there was no clear, safe pathway for responsible disclosure. Launching a VDP is the strongest way to tap into the enthusiasm that’s already out there and allow security researchers to tell you what they find before a malicious attacker acts on it.
It’s a reasonable instinct to worry that inviting outside scrutiny could surface problems, which can be risky in an election cycle. But let’s face it: Attackers are already probing systems. Granting permission for good-faith security researchers to report what they’re seeing via a VDP gives you more knowledge of unknown vulnerabilities, which can help you prevent costly breaches (that can upset your constituents).
A Bugcrowd VDP is designed to address that concern directly. Every participating researcher operates under a defined scope, a code of conduct, rules of engagement, and safe harbor protections—meaning good-faith security research is explicitly authorized and protected from legal action. The program owner sets the scope: Researchers can only test what is in bounds, and findings are routed through the platform to your security team, not published publicly. Bugcrowd’s triage team reviews every submission before it reaches you, filtering out noise and validating that reports are real, in-scope, and actionable. Unauthorized disclosure violates the platform’s code of conduct and is grounds for removal from the program.
Let’s look at Iowa as an example. Iowa Secretary of State Paul Pate launched a VDP in 2020, making Iowa the second state election office in the nation to do so. He then added a bug bounty program in 2022, ahead of the general election. The program won a 2022 U.S. Election Assistance Commission Clearinghouse Award for outstanding innovation in election cybersecurity. Pate’s framing is notable: “A bug bounty program is akin to having a penetration test 24 hours a day, seven days a week, 365 days a year.”
Proactive security is increasingly a mark of competent governance. The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 passed with broad bipartisan support, and CISA has continued funding state and local governments under multiple administrations. Federal agencies are already required to have VDPs. CISA has recommended them for state and local governments. Being ahead of that curve is a political advantage.
This is a legitimate operational concern—and it’s gotten more acute in recent years. AI tools have made it easy to generate high volumes of low-quality vulnerability reports at scale, a problem the industry has termed “AI slop.”
The volume problem is precisely why organizations use a managed platform rather than running a VDP themselves. Bugcrowd handles validation, triage, deduplication, and noise reduction before anything reaches your security team. What gets through is a prioritized list of real, actionable vulnerabilities. A Bugcrowd VDP also doesn’t require a large security team to be effective—the platform helps scale the program without requiring teams to change how they operate. Additionally, Bugcrowd has taken concrete steps to limit the noise from AI slop: banning accounts engaged in submission farming, implementing mandatory identity verification, adding submission throttling, and introducing CAPTCHA validation.
All these capabilities allow public sector organizations to focus on the signal rather than the noise. For instance, California’s statewide VDP, run in partnership with Bugcrowd, has attracted 786 unique security researchers and remediated more than 400 vulnerabilities across approximately 150 state and local entities—at a scale that would not be manageable without a managed platform.
Each of these myths points to the same underlying anxiety: Launching a VDP feels like adding risk and operational burden to an already stretched team. While the feeling makes sense, the data, the mandate trend, and real-world track records point the other way. It’s not about having a VDP—it’s about partnering with the right organization that can help you run it effectively. A well-run VDP allows you to gain visibility into vulnerabilities before threat actors can exploit them. The right one complements your team and doesn’t require significant internal lift to operate. Ultimately, it positions your agency as a proactive steward of the systems citizens depend on.
Bugcrowd’s VDP is purpose-built for the managed, high-accountability model that government agencies need: structured intake, triage, noise reduction, and a global researcher community that includes specialists in public sector infrastructure. In March 2026, Bugcrowd achieved FedRAMP Moderate Authorization, sponsored by CISA—meaning the platform handling your vulnerability disclosures has been vetted to the same standard you’re held to, without the typical 6-to-12-month provisional authority process.
Ready to get started? Learn more about Bugcrowd for government.