On June 22, the White House issued an executive order, Securing the Nation Against AdvancedCryptographic Attacks. Most of it deals with upgrading federal encryption for a post-quantum world. But one provision matters to a far wider audience: federal contractors are going to be required to run a vulnerability disclosure program (VDP).
If you sell software or services to the government, this is the part to read twice.
First, What's a VDP?
A Vulnerability Disclosure Program is a published, official way for outside security researchers to tell you about a bug in your systems, plus a defined process for receiving, validating, and fixing it.
Think of it as the front door for "hey, I found a problem."
A VDP is not a bug bounty. There's no payout. It's simply an open channel for reports you'd otherwise never see. The federal government has run these internally since 2020. This order extends the expectation to the companies it depends on.
What the Order Actually Requires
The order directs the Federal Acquisition Regulatory (FAR) Council to publish a proposed rule, within 270 days, requiring covered contractors to run VDPs consistent with NIST guidelines.
A couple things to be clear about:
This is the start of a rule making, not a switch flipping next week. A proposed rule means a draft and a final rule before anything is enforceable. You have a runway, but not an excuse to wait. Once the clause lands in federal contracts, it becomes a condition of doing business, and procurement teams will start asking about it well before then.
Who it affects: any company that contracts with the federal government and touches its data or systems. That's a wide net, and it pulls in a lot of mid-sized software companies that have never stood up a formal disclosure program and don't have a dedicated team to run one.
What if I Don't Sell to the Government?
Then this order isn't a requirement for you. But it is a signal.
VDPs have been moving from ""nice to have" to "expected" for a while, and government contracting is just the latest push. NIST already publishes VDP guidance. Regulators, including the SEC, keep raising the bar on security transparency and disclosure. And if you've filled out a vendor security questionnaire lately, you may have noticed third parties asking whether you have a disclosure process at all.
There's a simple reason behind the trend: exploited vulnerabilities are now the most common cause of a data breach in North America*. A VDP is one of the cheapest ways to find the ones you missed before someone else does.
When the federal government sets a security baseline, the private sector tends to follow. We expect VDPs to become a standard expectation across the board, not just in government contracts.
Why Now
The threat environment has changed faster than most security programs have. AI-assisted tooling has compressed the time between a vulnerability being published and being actively exploited. What used to take weeks now sometimes takes hours. Researchers (the good ones and the bad ones) are running more scans, more frequently, across more surface area than ever before.
That's not theoretical. Inspectiv's researchers find real, exploitable vulnerabilities across customer environments every month. The kind that don't show up in automated scanners. What they're finding, and how, is worth a look.
A VDP that's just an unwatched inbox doesn't help you here. It adds risk. Real issues get buried under noise, the researcher who tried to help gives up, and your attack surface stays open. The point isn't having a channel, it's having one that actually works: reports come in, get triaged, and reach the people who can fix them.
Where Inspectiv Fits
Most companies facing this requirement don’t have the bandwidth to manage and triage incoming vulnerability submissions.
The failure mode isn’t getting reports. It's getting buried in them. That’s what Inspectiv is built for. Our team handles intake, deduplication, and researcher communication, turning a flood of submissions into a short list of validated, prioritized findings your engineers can actually act on. And because VDP runs on the same platform as our pentesting and bug bounty products, everything lands in one place: validated findings, remediation tracking, the works. No duct tape between tools.
*Source: 2026 Verizon Data Breach Investigations Report.
Want to learn more about vulnerability disclosure programs? Get a Demo.
.svg?width=32&height=32&name=icon%20(1).svg){kind=small}
.svg?width=32&height=32&name=icon%20(2).svg){kind=small}
.svg?width=32&height=32&name=icon%20(3).svg){kind=small}
