Policy Pulse - Issue #7 | Week of March 22, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Top Story

NIST SSDF 1.2 Final Version Due March 31: What VDP Practitioners Need to Know

The EO-mandated deadline for the final Secure Software Development Framework (SSDF) Version 1.2 is days away. Directed by the March 6 cybersecurity executive order, NIST must publish the finalized SP 800-218 Rev. 1 by March 31, 2026. The draft, released December 17, 2025, closed its public comment period on January 30 and introduces a new Practice PO.6 to the "Prepare the Organization" section, along with expanded implementation examples addressing modern development practices.

SSDF 1.2 matters because federal agencies and their contractors will be expected to align software procurement and development with this updated framework. For organizations operating vulnerability disclosure programs, the framework's emphasis on reducing vulnerabilities at the source, tracking root causes, and building secure-by-design practices into every stage of the SDLC directly complements the work VDP programs do downstream. Software producers who follow the SSDF should, in theory, be generating fewer vulnerabilities for researchers to find.

Why it matters for VDP: The SSDF shapes how software vendors build and ship code. Stronger upstream security practices reduce the volume of low-hanging vulnerabilities while (ideally) leaving researchers to focus on deeper, higher-impact findings. The final version will set expectations for federal software suppliers through 2026 and beyond.

(NIST SSDF 1.2 Draft)

Upcoming Deadlines & Events

• Mar 31: EU CRA draft implementation guidance feedback deadline. Review and comment on 70-page guidance defining "known vulnerability" and reporting timelines. (EU CRA Guidance)
• Mar 31: NIST SSDF 1.2 final publication deadline (EO-mandated). (NIST SSDF)
• Apr 2: NIST NCCoE concept paper feedback due on "Software and AI Agent Identity and Authorization." (NIST NCCoE)
• May 1: DEF CON 34 Policy Track CFP deadline; Microsoft M365 E7 "Frontier Suite" launch.
• May 2026: CIRCIA final rule (further delayed by DHS shutdown).
• Aug 2: EU AI Act high-risk system requirements take effect.
• Sep 11: EU CRA mandatory vulnerability reporting begins for all products with digital elements.

This Week in Policy

Federal Strategy & Regulation

• DHS Shutdown Continues to Stall CIRCIA Rulemaking: The appropriations lapse that forced CISA to cancel CIRCIA town halls (March 9 through April 2) is still unresolved. With only 888 of 2,341 CISA staff designated "excepted" during the shutdown, the agency has confirmed the final incident reporting rule will be delayed beyond the already-pushed May 2026 target. The rule, which would require 72-hour incident reporting and 24-hour ransomware payment reporting across 16 critical infrastructure sectors and roughly 300,000 organizations, remains in limbo. (Federal News Network)

CVE & Vulnerability Programs

• 20-Hour Exploit Turnaround Highlights Disclosure-to-Patch Gap: A critical flaw in Langflow (CVE-2026-33017, disclosed March 17) was weaponized within 20 hours of advisory publication, before public proof-of-concept code was available. Rapid7's 2026 Global Threat Landscape Report notes the median time from vulnerability publication to CISA KEV catalog inclusion dropped from 8.5 days to five, while exploited high- and critical-severity vulnerabilities surged 105%. The shrinking window between disclosure and exploitation underscores why coordinated disclosure and rapid vendor response are more critical than ever. (The Hacker News)

AI & Emerging Tech Security

• NIST AI Agent Identity and Authorization Paper Open for Feedback: Following the 932 submissions to its AI Agent Security RFI (closed March 9), NIST's National Cybersecurity Center of Excellence released a concept paper on "Software and AI Agent Identity and Authorization." The paper addresses how autonomous AI agents should be identified, authenticated, and authorized, a foundational question as over 80% of Fortune 500 companies now deploy active AI agents. Feedback is due April 2, 2026. Virtual workshops are planned for April. (Federal News Network)

• AI Browser Risks Surface for Federal Agencies: Unlike traditional browsers, AI-powered browsers act as autonomous assistants that gather data, make decisions, and perform actions on behalf of users. Federal cybersecurity experts are warning that bad actors can jailbreak LLMs or exploit AI browsers for unauthorized operations, and agencies are moving toward purple-teaming (combined attack-defense testing) as the recommended approach. The 2026 NDAA directs defense agencies to specifically address AI-related cybersecurity risks. (FedScoop)

Legal & Researcher Protections

• SRLDF Strengthens Board with Casey Ellis and Jen Ellis: The Security Research Legal Defense Fund appointed Casey John Ellis and Jen Ellis to its board on March 18, expanding the leadership team alongside existing members Kurt Opsahl, Jim Dempsey, and Harley Geiger. The fund, which awarded a $20,000 grant in 2025 to three Maltese students facing criminal charges for responsible vulnerability disclosure, is positioning itself for broader global reach. Full details in the Friends section below. (SRLDF)

International Developments

• Pall Mall Process Hits 27 State Sign-Ons, Industry Guidelines Coming: The Pall Mall State Code of Practice, the first comprehensive state-led compact embedding human rights, accountability, and transparency norms for the commercial cyber intrusion tools market, now has 27 state signatories. The outcome of current consultations will inform drafting of binding Industry Guidelines in 2026. For the VDP community, these norms matter: they draw a line between legitimate security tools and commercial exploit capabilities, helping establish which research activities and tools fall on the right side of international norms. (GOV.UK)

Worth Reading

• Analyzing "President Trump's Cyber Strategy for America": Davis Wright Tremaine's detailed legal analysis of the six-pillar strategy and its implications for federal contractors and critical infrastructure operators.
• AI Went from Assistant to Autonomous Actor, and Security Never Caught Up: Help Net Security examines the enterprise AI agent security gap, relevant to anyone thinking about how VDP programs adapt to non-human attack surfaces.
• EU CRA: Preparing Your VDP for 2026 Reporting Requirements: HackerOne's practical guide to getting coordinated vulnerability disclosure programs ready for the September 11 CRA reporting deadline.
• The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments: Center for Cybersecurity Policy assesses the UN convention's 74 signatories and one ratification, and what the treaty's vague crime definitions mean for security researchers.

Friends of disclose.io

Security Research Legal Defense Fund: Board Expansion Signals Global Ambitions

On March 18, the Security Research Legal Defense Fund (SRLDF) announced the appointment of Casey John Ellis and Jen Ellis to its board of directors, joining existing members Kurt Opsahl (President), Jim Dempsey, and Harley Geiger. The expansion marks a strategic shift for the nonprofit, which was founded in 2023 as a 501(c)(3) to provide legal assistance to security researchers facing legal threats for good-faith vulnerability disclosure.

The appointments bring deep operational experience from both sides of the disclosure equation. Casey John Ellis, founder of Bugcrowd and disclose.io, brings decades of work building VDP infrastructure and advocating for researcher protections globally. Jen Ellis, known for her work in cybersecurity policy and community building, brings practical expertise in bridging the gap between researchers and the institutions that sometimes pursue them. As Jen put it: "Researchers need practical legal support and stronger norms that protect good intent."

The SRLDF's track record already includes a $20,000 grant in 2025 to three Maltese university students who faced criminal charges after responsibly disclosing a vulnerability. With this expanded board, the fund has outlined four strategic priorities: providing legal assistance grants to researchers, expanding its global reach across continents, advancing policy and norms that distinguish legitimate research from criminal activity, and building community trust as a neutral, practitioner-led resource.

Key takeaways:

• Board expanded from 3 to 5 members, adding operational VDP expertise alongside existing legal/policy strength
• $20,000 grant precedent established for cross-border researcher defense
• Four strategic priorities signal expansion beyond U.S.-centric cases
• Kurt Opsahl: the new members' "deep roots in the security research community...will strengthen the SRLDF's ability to defend the good-faith research that advances cybersecurity for the public interest"

Read the full announcement

The SRLDF fills a critical gap in the VDP ecosystem: when researchers do everything right and still face legal threats, the fund provides the resources to defend them. Their work directly supports the legal foundation that makes coordinated disclosure possible.

Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.

Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!