By Disclose.io in Policy Pulse — 29 Mar 2026

Policy Pulse - Issue #8 | Week of March 29, 2026

CVE program funding secured but transparency questions remain. Plus: lookup.disclose.io launches in beta, EU CRA countdown hits 6 months, and Rapid7 reports exploited vulns surged 105%.

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Top Story

CVE Program Funding Secured, But Transparency Questions Linger

The MITRE CVE contract, which was set to expire on March 16 after an 11-month emergency extension from CISA, has been renewed under what sources describe as a "more durable arrangement." During the CVE Board's January 21 meeting, members were told there would be "no funding cliff in March" and that "ongoing operations and planning extend well beyond that timeframe." The critical shift: CVE program funding has moved from discretionary, compete-for-leftovers status within CISA's budget to "above-the-line" prioritized funding.

However, the details remain opaque. Multiple sources have characterized the new deal as "a mystery contract with a mystery number," raising concerns about transparency for a program that underpins the global vulnerability ecosystem. Meanwhile, the CVE Foundation continues its development as a nonprofit backstop, pursuing shared global responsibility with multiple funding sources from public, private, and nonprofit organizations.

Why it matters for VDP: The CVE program is foundational infrastructure for vulnerability disclosure. Every VDP, bug bounty platform, and coordinated disclosure process depends on CVE identifiers to track and communicate about vulnerabilities. Stable, transparent funding is not optional; it is essential.

Throwback: In Issue #5, we covered the contract entering its final two weeks with no public renewal announced. Issue #6 reported funding secured. The transparency gap we flagged remains.

Upcoming Deadlines & Events

Mar 19 (passed): NY RAISE Act took effect, requiring frontier AI developers to maintain cybersecurity protections and report safety incidents within 72 hours
Apr 2: NIST AI Agent Identity Paper comments due
Apr 24: NIST NCCoE DevSecOps Practices live document comment period closes (submit to nccoe-devsecops@list.nist.gov)
May 2026: CIRCIA final rule targeted
Jun 11: EU Cyber Resilience Act: Chapter IV on conformity assessment body notification applies
Aug 2: EU AI Act high-risk AI system obligations take full effect (conformity assessment, risk management, documentation)
Sep 11: EU Cyber Resilience Act vulnerability reporting obligations begin (24hr/72hr/14-day timelines)
Dec 31: UN Cybercrime Treaty open for signature at UN HQ New York (74 signatories, 1 ratification so far)

This Week in Policy

Federal Strategy & Regulation

NIST NCCoE Releases Live DevSecOps Practices Document for Public Comment: The National Cybersecurity Center of Excellence published a live document demonstrating how organizations can implement the Secure Software Development Framework (SSDF) using modern DevSecOps pipelines and commercially available technology. Unlike traditional static publications, this document will be updated on a rolling basis. Comments are open through April 24, 2026. (NIST CSRC)
CISA BOD 26-02 Implementation Underway: Agencies Inventorying Edge Devices: Federal agencies are now in the inventory phase of CISA's Binding Operational Directive 26-02, with the May 5 deadline approaching to identify all end-of-support edge devices (routers, firewalls, VPN appliances, load balancers). Full replacement is required within 18 months. (CISA)

CVE & Vulnerability Programs

CVE Contract Renewed with "Above-the-Line" Funding: As detailed in the Top Story, the MITRE CVE program has moved past the March 16 expiration date with new, prioritized funding. The CVE Foundation continues parallel development as a nonprofit governance alternative. (CSO Online)
Rapid7 Report: Exploited Critical Vulnerabilities Surged 105%, Attack Timelines Collapsing: Rapid7's 2026 Global Threat Landscape Report found that exploited high and critical-severity vulnerabilities more than doubled year-over-year (71 to 146), while the median time from publication to CISA KEV inclusion dropped from 8.5 days to 5 days. With the mean time from disclosure to KEV dropping from 61 days to 28.5 days, the window between exploitation and formal tracking is closing fast. (Rapid7 Blog)

AI & Emerging Tech Security

NIST CAISI AI Agent Security RFI Comment Period Closed: The March 9 deadline passed for public input on NIST's Center for AI Standards and Innovation (CAISI) Request for Information on securing AI agent systems. The RFI focused on security threats from models interacting with adversarial data (indirect prompt injection), insecure models (data poisoning), and autonomous actions that harm security even without adversarial inputs. Responses will inform upcoming standards. (NIST)
Cisco Unveils Zero Trust for Agentic AI at RSA 2026: On March 23, Cisco announced DefenseClaw, an open-source security framework for wrapping AI agents in enterprise-grade protection. New Duo IAM capabilities allow organizations to register AI agents with verified identities mapped to human owners, enforce strict access controls on agentic actions, and gain visibility over their "agentic workforce." (Cisco Newsroom)
NY RAISE Act Now in Effect: New York's Responsible AI Safety and Education Act took effect March 19, requiring large AI developers (those spending over $100M in compute training costs) to maintain cybersecurity protections, monitor for safety incidents, and report incidents to the state within 72 hours. This aligns New York with California's frontier AI legislation. (Norton Rose Fulbright)

International Developments

UN Cybercrime Treaty: 74 Signatures, 1 Ratification, Growing Criticism: Qatar became the first nation to formally ratify the UN Cybercrime Treaty in February 2026. The treaty remains open for signature until December 31, 2026, but needs 40 ratifications to enter into force. The US has declined to sign. Civil society concerns persist about provisions that could compel disclosure of unknown vulnerabilities and encryption keys, directly threatening security research. (UNODC)
EU CRA Countdown: Six Months to Vulnerability Reporting Obligations: Manufacturers of products with digital elements have until September 11, 2026, to comply with the EU Cyber Resilience Act's vulnerability reporting requirements: 24-hour early warning, 72-hour full notification, and a final report within 14 days of a corrective measure becoming available for actively exploited vulnerabilities (one month for severe incidents). The Single Reporting Platform is being prepared. This applies to products already on the EU market, not just new ones. (European Commission)

Friends of disclose.io

disclose.io: Introducing lookup.disclose.io (Beta)

We are excited to announce that lookup.disclose.io is now live in beta. Lookup is a security attribution tool built to answer the question every security researcher asks when they find a vulnerability: "Who do I report this to?"

Lookup supports 16 input types (domains, IPs, ASNs, packages, repositories, cloud resources, and more) with cross-strategy chaining. A package lookup can chain to its repository, which chains to the organization's domain, which finds their security.txt or VDP. The goal: reduce the friction between finding a vulnerability and getting it to the right team, every single time.

Key features:

16 input types with automatic classification and cross-strategy chaining
Integration with the disclose.io Database (diodb), security.txt, DNS Security TXT, and national CERT data (34 countries)
CLI, API, and web interface (dark mode, naturally)
Open source, built on Bun/TypeScript

This is a beta release, and we are actively looking for feedback from researchers, coordinators, and program operators. Try it, break it, tell us what is missing.

Try lookup.disclose.io

disclose.io builds open-source tools and standards to make vulnerability disclosure safer, easier, and more accessible for everyone. From the Policymaker to the diodb to Lookup, every tool is community-driven and vendor-agnostic.

Worth Reading

Rapid7 2026 Global Threat Landscape Report: The data on collapsing exploitation timelines (105% surge in exploited vulns, 5-day median to KEV) makes the case for why faster, better-coordinated disclosure matters more than ever.
Advancing Secure by Design Through Security Research (Lawfare): Connects legal protections for security researchers directly to the viability of Secure by Design initiatives. Without researchers, there is no "secure."
EU Cyber Resilience Act: What You Need to Know and What You Need to Be Doing (DLA Piper): Practical compliance guide for the CRA's September 2026 vulnerability reporting obligations. Relevant for any VDP operator with products in the EU market.
NIST's AI Agent Standards Initiative: What CISOs Need to Know (MetricStream): Breaks down the CAISI RFI and what the resulting standards could mean for organizations deploying AI agents.