thread with "inspirational" bits from CISA's draft Binding Operational Directive 20-01 "Develop and Publish a Vulnerability Disclosure Policy" (cyber.dhs.gov/bod/20-01/) (h/t @WeldPond)

Agencies should recognize that “a reporter or anyone in possession of vulnerability information can disclose or publish the information at any time”

The policy must include:
- A clear statement that reporters may submit a report anonymously
- A commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represents a good faith effort to follow the policy

The policy, or implementation of policy, must not:
- Limit testing solely to “vetted” registered parties or U.S. citizens. The policy must provide authorization to the general public.

The policy, or implementation of policy, must not:
- Attempt to restrict the reporter’s ability to disclose discovered vulnerabilities to others, with the exception of a request for a reasonably time-limited response period.
- Submit disclosed vulnerabilities to the VEP

Within 180 days... Create a security.txt15 file at the “/.well-known/” path of the agency’s primary .gov domain.

Your policy should be written in plain language, not legalese. It need not be long. The tone should be inviting, not threatening.

"Agencies must assume that any vulnerability discovered by a good-faith researcher may have easily already been discovered by a bad actor." cc @halvarflake

Finally, references to work by @allanfriedman et al in NTIA Multistakeholder Process: Cybersecurity Vulnerabilities (ntia.doc.gov/other-publicat…),
+ @certcc @__adh__ @zmanion Guide to Coordinated Vulnerability Disclosure (vuls.cert.org/confluence/dis…)
+ the ISO 29147 (👍@k8em0 + editors