CISA folds its own hard-won lessons into coordinated vulnerability disclosure guidance

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and four allied cyber authorities published a guide telling software vendors how to build a coordinated vulnerability disclosure (CVD) program.

Six days earlier, CISA published a blog post explaining how a security researcher had tried and failed, repeatedly, to report a serious problem to CISA itself. Read side by side, the two documents suggest the timing is deliberate.

The guidance

Suppliers should design a CVD program to “effectively and transparently collaborate with security researchers to report and remediate vulnerabilities,” the guidance says. This can be achieved by the suppliers publishing a vulnerability disclosure policy on their website and stating plainly that reporting is open to the public.

They should use a security.txt file, the machine- and human-readable format defined in RFC 9116, so researchers can find contact information without hunting. They should set the widest possible scope for testing, on the reasoning that arbitrary boundaries constrain researchers but not attackers.

Acknowledge the security researcher’s outreach within a specified time frame, ideally between two or three business days, the agencies counsel.

One recommendation is CISA’s own failure written as advice: separate vulnerability disclosure and triage from existing customer support channels, because using existing channels “may lead to overlooked and undervalued reports or accidental disclosure.”

The failure

On July 9, CISA’s Acting CIO Preston Werntz and Acting CISO Brad Libbey, described an incident that CISA became aware on May 15, 2026, when an investigative reporter inquired about internal CISA AWS GovCloud keys and other information sitting in a public repository.

The reporter had the information from a security researcher whose company continuously scans public code repositories.

Guillaume Valadon, the GitGuardian researcher who found the data, wrote that, after nine notification emails went unanswered, his report reached CISA “through an unnecessarily complicated path.”

CISA admitted its reporting channels “were not well defined,” which led the researcher to try multiple avenues: emailing the contractor, submitting through CISA’s vulnerability disclosure platform (intended for vulnerabilities affecting the broader community, not CISA itself) and, finally, involving a reporter.

The agency says it’ss refining those channels, and notes that while many researchers rely on security.txt, organizations should publish reporting instructions in multiple, prominent places.

CISA also acknowledged it lost time early because it had no GitHub or cloud incident-response playbook and had to write one mid-incident.

Key rotation took longer than anticipated, due to the complexity of CISA’s systems and its interconnections with federal and industry partners. (The agency urged others to maintain mature, well-tested key-management capabilities.)

Additional recommendations

Nearly every failure CISA describes maps onto a recommendation in Tuesday’s guide, but there are also others:

  • Use safe-harbor language assuring researchers their good-faith work is authorized under anti-hacking statutes
  • Avoid blanket non-disclosure agreements and silent fixes
  • Assign CVE number for internally discovered vulnerabilities, not just external reports
  • Publish advisories based on the Common Security Advisory Framework, and never behind a paywall.

There is also regulatory weight behind the advice: BOD 20-01 already requires federal civilian agencies to publish disclosure policies, and the EU Cyber Resilience Act extends the obligation to suppliers operating in the European Union.

Valadon’s assessment of the postmortem was generous: “Most organizations bury this kind of incident. CISA wrote it up, explained what worked, what did not, and invited the industry to learn from it.”

He also noted that, to his knowledge, this was the first time a national cyber agency has publicly advocated for secrets scanning and for simplifying relations with researchers.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *