Policy Pulse - Issue #2 | Week of February 8, 2026

Top Story

Federal Contractor VDP Mandate Advances to Senate

The Federal Contractor Cybersecurity Vulnerability Reduction Act (H.R. 872) passed the House by voice vote and now awaits Senate action. The bipartisan legislation, sponsored by Senators Warner (D-VA) and Lankford (R-OK) in its Senate companion (S.1899), would require OMB and DoD to mandate vulnerability disclosure policies for all federal contractors.

This represents a potential watershed for the VDP ecosystem. Federal contractors span nearly every sector: defense, healthcare, finance, technology. Many currently lack formal channels for security researchers to report vulnerabilities. If enacted, this single bill could create more new VDP programs than any policy action in history.

Why it matters for VDP: Security researchers working with government supply chain vendors would gain standardized disclosure channels. Organizations holding or pursuing federal contracts should begin preparing VDP infrastructure now. The bill essentially codifies what many already consider a baseline security practice, but makes it a contractual requirement.

Throwback: In Issue #1, we covered the CVE Foundation’s pursuit of nonprofit status. This contractor VDP mandate would significantly increase the volume of vulnerabilities flowing through CVE and related systems.

Upcoming Deadlines & Events

• Feb 23: NIST Transit CSF Profile (IR 8576). Submit comments
• Feb 23: NIST SP 800-82 Rev 4 (OT Security). Submit pre-draft input
• Mar 1: CISA F5 ED 26-01 compliance. Agency remediation due
• Mar 9: NIST AI Agent Security RFI. Submit via regulations.gov
• Mar 16: MITRE CVE contract expiration. Monitor for extension/transition
• Jan 1, 2027: NY RAISE Act effective. Frontier AI compliance required
• Apr 2: NIST AI Agent Identity Paper. Submit comments
• Aug 2: EU AI Act enforcement (frontier models). Red teaming mandate begins
• Sep 11: EU CRA vulnerability reporting. 24hr/72hr mandate begins

This Week in Policy

Federal Strategy & Regulation

• CISA Issues Edge Device Directive: Binding Operational Directive 26-02 requires federal agencies to inventory, patch, and eliminate end-of-support edge devices (firewalls, routers, VPN appliances) within 18 months. Creates immediate demand for vulnerability assessments of legacy infrastructure. (CISA BOD 26-02)
• National Cyber Director Previews Six-Pillar Strategy: Sean Cairncross outlined the forthcoming national cybersecurity strategy: shaping adversary behavior, streamlining regulations, securing federal systems, protecting critical infrastructure, maintaining tech dominance, and closing workforce gaps. The “streamlining regulations” pillar may consolidate scattered disclosure requirements. (MeriTalk)
• CIRCIA Rule Delayed to May 2026: The Trump administration pushed the final cyber incident reporting rule to May 2026 to address industry concerns about overly broad definitions and harmonize with other agencies’ regulations. (CyberScoop)

CVE & Vulnerability Programs

• CISA Publishes CVE “Quality Era” Roadmap: CISA released “Strategic Focus: CVE Quality for a Cyber Secure Future,” committing to diversified funding, infrastructure modernization, and expanded Authorized Data Publisher capabilities. Signals long-term investment in CVE sustainability. (CISA)
• Zero-Day Window Shrinking: VulnCheck’s 2026 report reveals 29% of exploited vulnerabilities were attacked on or before CVE publication day, up from 24% in 2024. Network edge devices top the target list with 191 KEVs. (VulnCheck)
• MITRE Funding Cliff Approaches: The CVE program contract with MITRE expires March 16, 2026. While CISA’s roadmap addresses long-term sustainability, the near-term deadline creates potential disruption risk. Throwback: Issue #1 covered GCVE’s launch as a European alternative; both systems may prove necessary given ongoing funding uncertainty.

AI & Emerging Tech Security

This week saw significant movement on AI security governance, with direct implications for how VDP programs handle AI systems. Traditional disclosure frameworks were not designed for agentic AI attack surfaces, and most programs still treat AI endpoints like standard APIs when the risks are fundamentally different.

• Singapore Launches World’s First Agentic AI Framework: Singapore’s IMDA released the first national governance framework for agentic AI systems, addressing risk assessment, human accountability, technical controls, and MCP security considerations. The framework explicitly addresses agentic guardrails and is open for industry feedback. (IMDA | Computer Weekly)
• NVIDIA Red Team Publishes Agent Security Controls: Mandatory security framework for AI coding agents (Cursor, Claude, Copilot) addressing prompt injection and sandbox escape. Establishes three controls: network egress lockdown, workspace-only writes, and config file protection. Validates agent sandbox escape as critical attack surface. (NVIDIA Developer Blog)
• New York RAISE Act Takes Effect January 1, 2027: Frontier AI developers spending >$100M on compute must implement safety frameworks with 72-hour incident reporting. Creates state-level enforcement independent of federal action. (Governor Hochul | Full text)
• NIST Releases AI Agent Identity Paper: NCCoE concept paper on securely identifying and authorizing AI agents, covering auditing, non-repudiation, and prompt injection mitigations. Throwback: The NIST AI Agent Security RFI from Issue #1 (deadline March 9) now has a companion identity paper. Submit to both for comprehensive input. (NCCoE Project Page | Submit comments by April 2)

Legal & Researcher Protections

• HackerOne Launches AI Research Safe Harbor: New industry framework extends legal protections to researchers testing AI systems. Adopting organizations commit to recognizing good-faith AI research as authorized and refraining from legal action. This directly addresses the gap between traditional VDP safe harbors and AI-specific risks. (HackerOne | Framework details)
• UK Pledges Computer Misuse Act Rewrite: Home Secretary committed to creating a “statutory defence” for security researchers, the most significant CMA reform movement in decades. Lords cross-party amendment continues through Parliament. (Computer Weekly)

International Developments

• EU CRA Vulnerability Reporting Begins September 2026: The Cyber Resilience Act’s first operational phase begins with 24-hour early warning and 72-hour full notification requirements for actively exploited vulnerabilities, the strictest timeline globally. (European Commission)
• NIS2 Amendments Proposed: Commission proposed targeted amendments (Jan 20) to clarify jurisdiction, streamline ransomware reporting, and strengthen ENISA’s cross-border coordination role. (DLA Piper)
• UN Cybercrime Treaty Stalls: 74 signatories, zero ratifications. The treaty needs 40 ratifications to enter force. Vague cybercrime definitions continue raising concerns about impacts on cross-border security research. (Human Rights Watch)

Friends of disclose.io

Copper Horse / IoT Security Foundation: The State of Vulnerability Disclosure in Global Consumer IoT (2025)

The sixth annual report on VDP adoption in consumer IoT is out, and it’s a mixed bag. 40.53% of global IoT manufacturers now have some way for researchers to contact them, up from 35.59% in 2024. Progress, but still less than halfway there.

Key findings:

• All major retailers surveyed now stock products where >60% of popular manufacturers have VDPs
• 9 of 15 retailers scored >80% VDP adoption among their IoT suppliers
• 3 UK retailers achieved 100% adoption among popular IoT brands they sell
• Walmart lags significantly at 27.59% compliant manufacturers (8 of 29 products)

Regulatory tailwinds: The EU Cyber Resilience Act and US FCC IoT Cybersecurity Labelling Program both require manufacturer contact mechanisms for vulnerability reporting. Adoption should accelerate as these take effect.

The full report is CC BY 4.0 licensed and available for download:

The State of Vulnerability Disclosure Usage in Global Consumer IoT in 2025 (PDF)

Copper Horse has been tracking IoT VDP adoption since 2018 when only 10% of manufacturers had disclosure mechanisms. David Rogers and the team continue doing essential work quantifying the gap between where we are and where we need to be.

Worth Reading

• METR: Frontier AI Safety Regulations Reference: Unified reference mapping requirements across California SB 53, EU AI Act, and NY RAISE Act. Essential for understanding what testing labs are now legally required to perform.
• The Register: Red Teaming Becomes Legal Requirement: Analysis of how EU AI Act enforcement (August 2026) transforms red teaming from best practice to mandate. Security researchers gain formal engagement pathways.
• The Record: Spyware Makers Hijacking Pall Mall Process: Civil society warns NSO Group is using diplomatic participation to rehabilitate its reputation. Important context on the tensions in commercial cyber capability governance.

Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.

Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!