Mark Your Calendar: The disclose.io Upcoming Dates Page Is Live
The disclose.io Upcoming Dates page is now live — a shared community calendar tracking policy deadlines, regulations, CFPs, and legislation across the US, EU, UK, and Australia. Plus: show up at Hackers on the Hill, June 16.
If you're trying to keep up with the policy and regulatory drumbeat affecting vulnerability disclosure and security research single-handedly, I have bad news: you can't. None of us can. The surface has gotten too big, the jurisdictions too many, the deadlines too overlapping. The EU is mid-implementation on CRA and AI Act. The US has CIRCIA, state AI laws cascading, and a new NDAA cycle every year. The UK is rewriting the Computer Misuse Act for the first time in 35 years. Australia just turned on the IoT security regime. The UN closed signature on a cybercrime treaty that real lawyers are genuinely worried about. Even if you read everything, the calendar is the bottleneck — knowing when something fires is half the battle.
So we made a shared calendar.
The disclose.io Upcoming Dates page is now live as a continually updated, community-maintained reference for everything that matters to the VDP, CVD, and security research community. It's organized into five categories, sorted by date, and refreshed weekly alongside Policy Pulse. It's free, it's open, it's yours.
What's on it
Policy Comment Deadlines — open windows where you (yes, you, an individual researcher with skin in the game) can submit input to government. NIST drafts on TLS, key wrapping, confidential computing, and post-quantum signatures. CISA Federal Register dockets — including the .gov registrar collection that directly affects how researchers report against federal domains. The UK DSIT Software Security Code of Practice evaluation, open through December. The EU AI Act high-risk classification guidelines closing June 23. If you've ever wanted to be in the room where it happens, that room is a comment form, and the form is open right now.
Regulations Coming Into Effect — the cliff edges. The EU CRA vulnerability-reporting clock starts September 11, 2026 — the first global mandatory exploited-vuln reporting regime, 24h early warning, 72h notification, 14-day final report through ENISA's Single Reporting Platform. The Colorado AI Act, postponed but now live June 30. New Jersey's cure period sunsets July 16. California's data broker DROP platform starts enforcing $200-per-request-per-day penalties August 1. Then a January 1, 2027 cluster lands on the same day: Indiana ICDPA, Kentucky HB 15, Texas TRAIGA (which is the only US state AI law I'm aware of with an explicit safe harbor for internal adversarial testing and red-team exercises — a genuinely pro-research provision worth paying attention to), and New York's RAISE Act.
Conferences, CFPs, and Events — IEEE S&P, NDSS, USENIX, ACM CCS, DEF CON, FIRST, ENISA Skills, AISA CyberCon, Code Blue, Aspen Cyber Summit, 40C3, Black Hat Europe. Submission deadlines you'll otherwise miss while heads-down on a report.
International Developments — UK CSR Bill Royal Assent process. The new UN Global Mechanism on ICT Security — yes, OEWG is dead; the replacement has its first substantive plenary July 20-24. AU SOCI Act CIRMP annual reports. ENISA's NIS2 Technical Implementation Guidance v2. The EUVD bid to become the first non-US Top-Level Root CNA in the CVE program. CRI 6th Summit.
Pending Legislation — H.R. 872 (federal contractor VDPs), the FY27 NDAA cycle, the reintroduced ACDC Act, the UK National Security Bill that's supposed to carry the CMA statutory defence (a defence that, as currently drafted, would cover roughly 300 chartered UK nationals out of a workforce of nearly 70,000 — worth flagging hard), Ofcom's Online Safety Act Categorisation Register, Australia's Privacy Act Tranche 2 exposure draft, and CA SB 53 enforcement build-out.
Show up: Hackers on the Hill — June 16, 2026
The single most-leveraged date on the calendar this month is Hackers on the Hill on June 16, 2026 at the US Capitol in Washington, DC. This is I Am The Cavalry's flagship policy briefing day — researchers, members of the security community, and Congressional staff in the same building, talking about the same problems. There is no substitute for this kind of in-person engagement. If you have ever wanted to be useful to the policy conversation, this is the day. Register, show up, bring a friend, and bring the perspective of someone who actually finds and reports bugs for a living. The "Hackers on More Hills" regional spin-offs are scaling through 2026 too — if DC is too far, watch for one closer to you.
Tell us what we're missing
This page is a community resource, and it's only as good as the community makes it. If we missed your jurisdiction, your bill, your consultation, your conference — tell us. Reply to any Policy Pulse issue. Hit us up on Twitter/X, Bluesky, LinkedIn, or Mastodon. DM, reply, send a PR-equivalent note — whatever works.
The CFAA reform fight, the EU CRA reporting clock, the Computer Misuse Act rewrite, the UN treaty signature window, the state-level AI laws stacking like Jenga blocks — these are not happening to us. They're happening around us, and the people in those rooms need to hear from the people who actually do this work. The calendar is the easy part. The hard part is showing up.
