Policy Pulse - Issue #4 | Week of February 22, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Top Story

Australia Mandates Vulnerability Disclosure for All Smart Devices — Effective March 4

On March 4, 2026, Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025 take effect, making Australia the first country to enforce mandatory vulnerability disclosure programs for consumer IoT products under its landmark Cyber Security Act 2024. Every manufacturer or supplier of "relevant connectable products" sold in Australia must now maintain a public, free, 24/7 security vulnerability reporting channel, send acknowledgment within 48 hours, and provide regular status updates until resolution. They must also publish a vulnerability disclosure policy with contact information and timelines, eliminate universal default passwords, and publish fixed security update support periods. Non-compliant products face "stop sell" orders and product recalls.

The rules have extraterritorial reach: overseas manufacturers whose products are sold in Australia must comply. This is the enforcement arm of the same Cyber Security Act 2024 that shifted ransomware payment reporting from an "education first" approach to active regulatory compliance on January 1, 2026, with civil penalty provisions taking effect June 1, 2026.

Why it matters for VDP: This is a watershed moment. By mandating vulnerability reporting channels with enforceable SLAs across the entire consumer IoT sector, Australia just created one of the world's largest expansions of legitimate attack surface for security researchers. Every smart device manufacturer selling into Australia — from smart locks to connected appliances — must now accept vulnerability reports. Combined with the PSPF 2025 making VDPs mandatory for all Australian federal government entities, Australia is building a comprehensive VDP infrastructure. The glaring gap: Australia's Criminal Code (Part 10.7, ss. 477-478) still has no statutory safe harbor for researchers who discover these vulnerabilities. The policy says "tell us what you find," but the law still says "finding it might be a crime."

Upcoming Deadlines & Events

• Mar 4: Australia smart device security standards take effect (mandatory VDP, no default passwords, security update periods).
• Mar 5: UK Cyber Security and Resilience Bill committee expected to report.
• Mar 9: NIST CAISI AI Agent Security RFI comments due (submit via regulations.gov, NIST-2025-0035). Also: CIRCIA town hall for Chemical, Water, Dams, Energy, and Nuclear sectors.
• Mar 12: CIRCIA town hall for Commercial Facilities, Critical Manufacturing, and Food/Agriculture sectors. (Additional sessions: Mar 17, Mar 19, Mar 31.)
• Mar 16: MITRE CVE contract option period expires. No public renewal announcement yet.
• Mar 19: New York RAISE Act takes effect (frontier AI compliance requirements).
• Apr 2: NIST AI Agent Identity Paper comments due. CIRCIA general session town hall.
• May 2026: CIRCIA final rule targeted (delayed from October 2025).
• Jun 11: EU CRA first conformity assessment bodies begin checking product conformity.
• Jul 1: Queensland mandatory data breach notification extends to local government.
• Aug 2: EU AI Act high-risk system requirements take effect (red-teaming mandate).
• Sep 11: EU Cyber Resilience Act vulnerability reporting obligations begin (24hr/72hr timelines).

This Week in Policy

Australia Deep Dive

Ransomware Reporting Shifts to Compliance Focus: Since January 1, 2026, Australia's mandatory ransomware payment reporting regime has moved from an "education first" posture to active regulatory compliance, with civil penalty provisions taking effect June 1, 2026. Businesses with annual turnover above AUD $3 million must report ransomware or cyber extortion payments to the National Cyber Security Coordinator within 72 hours. The Cyber Incident Review Board, established under the same Act, is now operational and conducting no-fault post-incident reviews. Critically, the Act's Limited Use Obligation (Part 4) means information voluntarily shared with the NCSC during incidents cannot be used for enforcement and is generally inadmissible as evidence — an important trust-building measure, though it protects incident reporters, not vulnerability researchers.

PSPF 2025 Makes VDPs Mandatory for Federal Government: The Protective Security Policy Framework Release 2025, issued July 24, 2025, made vulnerability disclosure programs a mandatory requirement in the Technology domain for all Australian Government entities. Agencies must "establish a vulnerability disclosure program and supporting processes and procedures to receive, verify, resolve and report on vulnerabilities disclosed by both internal and external sources." Multiple agencies — including ASD/ACSC, Treasury, Home Affairs, and Service NSW on Bugcrowd — already operate formal VDPs. ASPI Strategist has argued that the next step should be a national coordinated vulnerability disclosure policy with safe harbor provisions and federal bug bounty funding.

Queensland Mandatory Data Breach Notification Expanding: Queensland's mandatory notification of data breach scheme has been in effect for state agencies since July 1, 2025. Local government obligations commence July 1, 2026. Agencies must notify the QLD Office of the Information Commissioner and affected individuals of eligible data breaches, and maintain a public data breach register.

Record Breaches Drive Enforcement: Australia recorded 1,113 data breaches reported to the OAIC in 2024 — a 25% increase from 2023. In a landmark October 2025 decision, the Federal Court imposed Australia's first civil penalties under the Privacy Act — AUD $5.8 million against Australian Clinical Labs. Medibank and Optus proceedings remain active. The statutory tort for serious invasion of privacy, in effect since June 10, 2025, now gives individuals a direct right to sue.

Federal Strategy & Regulation

CISA Capacity Crisis Deepens: CISA has lost more than a third of its workforce under the current administration through layoffs, buyouts, and early retirements. The FY2026 budget supplement projects reducing staffing from 3,292 to 2,324 positions, with the Cybersecurity Division facing a $216 million cut (18%). A January 2026 DHS spending agreement provides $20 million to hire staff in five critical programs including Vulnerability Management and Threat Hunting. The contradiction is stark: the US is expanding reporting mandates (CIRCIA, BODs, KEV catalog) while cutting the agency that coordinates them.

CIRCIA Town Halls Underway, Final Rule Targeted for May: CISA's sector-specific town halls for the CIRCIA incident reporting rule began in March, with the final rule affecting roughly 316,000 entities across 16 critical infrastructure sectors still expected in May 2026.

CVE & Vulnerability Programs

MITRE CVE Contract: Three Weeks to the Cliff: The CISA contract extension expires March 16, 2026. No public renewal or transition announcement has been made. The CVE Foundation continues developing as a nonprofit backstop. With FIRST forecasting a record 59,000+ CVEs for 2026 — potentially reaching 70,000-100,000 in realistic scenarios — the timing could not be worse.

Throwback: Issue #3 noted 30 days to the cliff. We're now at three weeks with no public signal. The community should be planning contingencies.

Legal & Researcher Protections

"I Found a Vulnerability. They Found a Lawyer.": Security engineer Yannick Dixken published a detailed account of discovering a critical vulnerability in a diving insurer's member portal that exposed children's personal data. Rather than thanking him, the organization's lawyers sent a same-day ultimatum threatening criminal prosecution under Maltese law and demanding he sign a confidentiality clause. Dixken refused. The case has become a visceral example of why bilateral safe harbor matters: an organization that exposed children's data weaponized the law against the person who tried to protect them.

Germany's Safe Harbor Law Still Stalled: The draft law to protect security researchers from prosecution under Section 202c of the German Criminal Code — introduced by the previous coalition government in November 2024 — was not finalized before the government change. An Oxford Academic paper published in the Journal of Cybersecurity (2026, Vol. 12) calls for European-level protection of security researchers.

Virginia Supreme Court Expands Computer Crime Scope: In a late 2024 decision with ongoing impact, the Virginia Supreme Court expanded the scope of Virginia's computer fraud statute to consider not just the "manner" of device use but the "purpose." This broadened interpretation means misuse of data obtained — not just unauthorized access — can constitute computer fraud, creating new legal risk for researchers operating under Virginia law.

AI & Emerging Tech Security

HackerOne AI Data Controversy: Trust vs. Automation: On February 18, HackerOne was forced to clarify its AI data practices after researchers raised concerns that vulnerability submissions were being used to train the company's Hai agentic AI system. HackerOne's description of agents "trained and refined using proprietary exploit intelligence informed by years of testing" prompted researchers to ask: whose intelligence? CEO Kara Sprague stated the company does not train models on researcher submissions and is updating Terms and Conditions to eliminate ambiguity. The incident signals that researcher data governance is becoming as important as vulnerability data collection — a new dimension of platform trust.

International Developments

EU Cybersecurity Package Reshapes the Regulatory Landscape: The European Commission's January 20 cybersecurity package proposed two major elements: a revised Cybersecurity Act (CSA2) introducing a horizontal framework for trusted ICT supply chain security with fines up to 7% of worldwide turnover for the most serious violations involving high-risk supplier components, and targeted NIS2 amendments that expand scope to digital wallet providers and submarine infrastructure while simplifying compliance for 28,700 companies. The NIS2 amendments also introduce enhanced ransomware reporting and certification-based compliance pathways.

UK Cyber Security and Resilience Bill in Committee: The Cyber Security and Resilience Bill entered Public Bill Committee on February 3, with line-by-line scrutiny expected to conclude by March 5. The Bill extends NIS regulation to data centres, MSPs, and "critical suppliers," mandates 24-hour initial incident notification, and is backed by GBP 210 million for public sector cyber resilience. Meanwhile, the CMA statutory defence for researchers continues to develop via the Crime and Policing Bill.

UN Cybercrime Treaty: 74 Signatures, Zero Ratifications: The Convention remains unratified by any member state, with 40 ratifications needed for entry into force. Australia signed in October 2025 despite having voted against the 2019 General Assembly resolution that initiated the drafting process. Security researchers remain concerned about provisions that could criminalize ethical vulnerability testing without explicit carve-outs for good-faith research.

Worth Reading

• Australia's cyber strategy needs a vulnerability disclosure upgrade (ASPI Strategist): Adam Dobell and Ilona Cohen argue for safe harbor provisions and federal bug bounty funding, noting that "the average cost of a data breach in Australia reached a record $4.26 million in 2024, while identifying vulnerabilities through ethical hackers costs on average $1670."

• When Security Researchers Become Criminals: The Vulnerability Disclosure Crisis of 2026 (TechPlanet): Analysis of the growing tension between expanding VDP mandates and persistent criminalization of the research that makes them work.

• 2026 Vulnerability Forecast (FIRST): Projecting 59,000+ CVEs this year with realistic scenarios reaching 100,000. Essential context for every policy conversation about vulnerability management capacity.

• Global Cybersecurity Outlook 2026 (WEF): Supply chain compromise and AI-enabled attacks identified as primary threat vectors driving the policy conversations above.

Friends of disclose.io

I Found a Vulnerability. They Found a Lawyer. by Yannick Dixken.
On a diving trip to Cocos Island, Costa Rica, security engineer Dixken discovered a critical vulnerability in a major diving insurer's member portal — one that exposed the personal data of children. What followed wasn't a thank-you but a legal threat: the organization's Data Privacy Officers' law firm demanded he sign a confidentiality clause and warned that his actions "likely constitute a criminal offence under Maltese law." The deadline? End of business the same day the letter was sent. Dixken refused to sign, noting he doesn't accept confidentiality clauses in cases involving exposed sensitive information — especially children's data. This is precisely why disclose.io exists: because the people who find the vulnerabilities shouldn't need lawyers more than the organizations that created them.

Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.

Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!