The U.S. government’s acceptance and adoption of Vulnerability Disclosure Programs (VDPs) has significantly evolved, with successful initiatives such as Hack the Pentagon and DHS/OMB’s Binding Operational Directive 20-01 (BOD 20-01), showcasing the tangible benefits of collaboration with ethical hackers. These programs highlight real-world successes, such as rapid vulnerability remediation and improved security postures.
Historically, federal policy strongly influenced both public-sector and private-sector cybersecurity adoption, often setting industry standards. These initiatives have guided agencies toward proactive vulnerability management, creating industry-wide ripple effects and clearly demonstrating the effectiveness of direct collaboration with ethical hackers.
I sat down with Trey Ford and we discussed H.R. 872, the basics of vulnerability disclosure, and why this bill is so important.
What is H.R. 872?
H.R. 872, The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, was introduced by Representatives Nancy Mace (R-SC) and Shontel Brown (D-OH) in August 2023 and has since garnered extensive bipartisan support. The full House of Representatives approved the bill on March 4, 2025, marking significant progress. It still must clear the Senate and be signed into law by the President to fully come into effect.
The bill mandates VDP adoption through DFARS procurement requirements, ensuring comprehensive adoption once enacted. Unlike mere recommendations, procurement policies carry compliance incentives and penalties, creating powerful motivation for businesses. Procurement is uniquely effective because it directly ties VDP adoption to eligibility for federal contracts, embedding best practices within standard operations.
Potential impact and outcomes of H.R. 872
For companies lacking a formal VDP, this requirement means they’ll need to integrate vulnerability disclosure practices quickly to remain competitive in federal contracting. Small and mid-sized federal contractors will likely adopt standardized processes, leveraging guidelines like NIST and ISO 29147/30111 to simplify compliance.
Specific outcomes from programs like Hack the Pentagon have clearly demonstrated the effectiveness of vulnerability disclosure, improving security by identifying and addressing critical vulnerabilities before exploitation.
Procurement, being mandatory rather than advisory, ensures consistent adoption across sectors. It directly incentivizes companies through clear business implications rather than mere recommendations.
Bugcrowd’s support of H.R. 872
Bugcrowd is proud to have supported the creation and passage of H.R. 872 through the House, and to continue to support its passage through the Senate through direct engagement and advocacy with the Hacking Policy Council. We extend our sincere appreciation to Representatives Nancy Mace and Shontel Brown for their leadership and bipartisan commitment to enhancing cybersecurity.
This bill marks another vital step in promoting and normalizing the role of good-faith security research in cybersecurity, fostering deeper collaboration between ethical hackers and traditional security teams. Going forward, we anticipate further legislation reinforcing the hacker community’s crucial role in securing digital infrastructure nationally and globally.
For organizations looking to proactively incorporate vulnerability disclosure into their security strategy, Bugcrowd offers a wide range of vulnerability disclosure programs, from a free compliance-focused VDP to more comprehensive programs for organizations expecting higher submission volumes.
