Upcoming Dates

A continually updated reference for the vulnerability disclosure and security research community. Dates are organized by category and updated weekly alongside Policy Pulse.

Last updated: June 6, 2026

---

Policy Comment Deadlines

Jun 12, 2026 — NIST SP 800-230 IPD: Additional SLH-DSA Parameter Sets for Limited Signature Use Cases
Post-quantum signature parameter sets — directly relevant to crypto researchers and vuln disclosure of PQ implementations. NIST CSRC

Jun 15, 2026 — UK Cyber Security and Resilience Bill: Public Bill Committee written evidence
Critical window to shape statutory researcher protections and NIS2-equivalent vulnerability-reporting duties for UK operators of essential services. Submit ASAP. Bill page

Jun 16, 2026 — NIST SP 800-133 Rev. 3: Recommendation for Cryptographic Key Generation
Crypto-implementation baseline used to evaluate weak-key vulnerability reports across the disclosure ecosystem. NIST CSRC drafts

Jun 23, 2026 — EU AI Act: Draft Guidelines on Classification of High-Risk AI Systems (Article 6(5))
Determines which AI systems trigger conformity-assessment and vulnerability-reporting duties — sets the scope of coordinated disclosure for AI. Draft guidelines

Jun 26, 2026 — NIST IR 8500A: Blockchain-Based Secure Software Assets Management (BloSS@M)
Software-supply-chain provenance tracking that intersects with SBOM, CVE coordination, and downstream vulnerability attribution. NIST CSRC drafts

Jul 2, 2026 — NIST SP 800-228A: Secure Deployment of RESTful Web APIs
Codifies API security baseline researchers test against and report against in VDPs covering web/API surfaces. NIST CSRC drafts

Jul 6, 2026 — NIST IR 8323 Rev. 2 IPD: Foundational PNT Profile
GPS/PNT cybersecurity profile — affects GPS spoofing/jamming disclosure framing for critical infrastructure researchers. NIST CSRC

Jul 8, 2026 — NIST SP 1800-41: Responding to and Recovering from a Cyber Attack (Manufacturing)
ICS/OT incident-response guidance relevant to manufacturer VDP intake, triage, and CSIRT coordination. NIST CSRC drafts

Jul 10, 2026 — NIST SP 800-52 Rev. 2 Crypto Publication Review: TLS Implementations
TLS implementation guidance review — direct touchpoint for TLS protocol vuln researchers. NIST CSRC

Jul 13, 2026 — NIST IR 8320E IPD: Hardware-Enabled Security for Confidential Computing in Cloud Workloads
Cloud TEE/SGX/SEV guidance — relevant to confidential-computing vulnerability disclosure researchers. NIST CSRC

Jul 31, 2026 — CISA .gov Registrar Information Collection (Docket CISA-2026-0001)
.gov TLD registry program collection — directly relevant to researchers reporting issues against federal .gov domains. Federal Register

Jul 31, 2026 — CISA State and Local Cybersecurity Grant Program Evaluation
Sets metrics influencing how state/local critical-infrastructure VDPs are funded and assessed. Federal Register

Jun 2026 (expected) — US Copyright Office: DMCA Section 1201 Tenth Triennial Rulemaking (Notice of Inquiry)
Renewal and potential expansion of the security-research exemption. The central US legal shield for good-faith vulnerability research on protected works. Copyright Office 1201

Dec 16, 2026 — UK DSIT Software Security Code of Practice: Evaluation Survey
Six-month call for evidence on the UK's voluntary Software Security Code (vulnerability disclosure + reporting expectations on software vendors). gov.uk consultation

---

Regulations Coming Into Effect

Jun 10, 2026 — CISA: FCEB remediation deadline for May 27 KEV additions
Federal civilian agencies must remediate Daemon Tools Lite (CVE-2026-8398), TanStack (CVE-2026-45321), Nx Console (CVE-2026-48027). Private-sector VDP programs should expect related reports. CISA alert

Jun 11, 2026 — EU CRA: Conformity assessment body designation begins
EU member states designate notifying authorities; CAB notification machinery for Notified Bodies activates ahead of September reporting obligations. EU CRA summary

Jun 30, 2026 — Colorado AI Act (SB 24-205) takes effect (postponed from Feb 1)
First comprehensive US state AI law: developers/deployers of high-risk systems owe "reasonable care" against algorithmic discrimination + AG notification of known discrimination risks. Establishes a state-AG channel for algorithmic-harm reports. SB 24-205

Jul 1, 2026 — Connecticut Data Privacy Act amendments (SB 1295)
Threshold drops from 100K to 35K consumers; opt-out of profiling even with humans in the loop; new privacy assessments. Sweeps in a much broader mid-market controller population that's net-new to documented disclosure paths. CT SB 1295

Jul 16, 2026 — New Jersey Data Privacy Act: cure-period sunset
30-day right-to-cure provision sunsets 18 months after Jan 15, 2025 effective date. After this, cure is entirely at AG discretion — enforcement risk for inadequate security/disclosure handling rises sharply. NJ DPA FAQ

Jul 17, 2026 — EU Critical Entities Resilience Directive: critical-entity designation deadline
Member States must formally designate critical entities across 11 sectors; designated entities then have 10 months → compliance by May 2027. Creates a new population needing formal CVD pathways adjacent to NIS2. Commission CER page

Aug 1, 2026 — California DELETE Act / DROP platform: broker compliance enforcement
Registered data brokers must access California's DROP every 45 days to process consumer deletion requests; failure = $200/request/day. DROP itself becomes a high-impact disclosure target. CA DROP

Aug 2, 2026 — EU AI Act: Article 50 transparency obligations take effect
AI-content labelling and interaction-notice rules go live. Commission enforcement powers under Articles 88-101 also activate for GPAI providers — fines up to 3% global turnover. Council of EU agreement

Sep 11, 2026 — EU CRA Article 14: Vulnerability reporting obligations enter into application
Manufacturers of products with digital elements must report actively-exploited vulnerabilities (24h early warning, 72h notification, 14-day final report) via the ENISA Single Reporting Platform. First global mandatory exploited-vuln reporting clock. EU CRA reporting

Sep 30, 2026 — Cybersecurity Information Sharing Act of 2015 (CISA 2015) sunset
Current Feb 2026 reauthorization expires. Liability protections and antitrust safe harbor for cyber threat-indicator sharing terminate absent further congressional action. Wiley analysis

Oct 1, 2026 — Connecticut SB 5 (AI Transparency, Safety, and Consumer Protection Act)
Bans on AI-enabled discrimination, deepfakes, biometric scraping; mandatory provenance metadata on GPAI outputs >1M MAU. Another formal pathway for AI-generated-content authenticity and discriminatory-AI bug reports. CT SB 5

Q3 2026 (target) — CIRCIA Final Rule publication
72-hour incident reporting + 24-hour ransom-payment reporting for ~316,000 covered critical-infrastructure entities. Original May 2026 target slipped due to DHS funding lapse. 18-month effective-date clock begins on publication. CISA CIRCIA FAQs

Jan 1, 2027 — New York RAISE Act
Frontier-model developers (>$500M revenue, >10^26 FLOPs, >$100M compute) must publish safety frameworks pre-deployment and report safety incidents to NY DFS within 72h. First US state-level AI safety-incident reporting channel. Wiley alert

Jan 1, 2027 — Indiana Consumer Data Protection Act (ICDPA)
20th US comprehensive state privacy law. 100K consumer threshold; "reasonable" admin/technical/physical security required; AG-only enforcement, 30-day cure, $7,500/violation. Indiana Code Title 24 Art. 15

Jan 1, 2027 — Kentucky Consumer Data Privacy Act (HB 15)
Same threshold structure as Indiana. Data protection assessments required for processing created/generated after Jun 1, 2026. KY HB 15

Jan 1, 2027 — Texas Responsible AI Governance Act (TRAIGA, HB 149)
Bans manipulative/discriminatory AI; first US state AI law with explicit safe harbor for internal adversarial testing / red-team exercises — materially lowers legal risk for AI security research in Texas. TX HB 149

---

Conferences, CFPs, and Events

Jun 11, 2026 — IEEE S&P 2027 Cycle 1 paper submission deadline
Top-tier academic security venue; major VDP/exploitation/policy research published here. Event May 2027, Montreal. CFP

Jun 14-19, 2026 — 38th Annual FIRST Conference
Denver, CO. Global CSIRT and incident-response community; vulnerability coordination policy track. Conference page

Jun 16, 2026 — Hackers on the Hill
US Capitol, Washington DC. I Am The Cavalry's policy briefings; pairs with regional "Hackers on More Hills" events scaling through 2026. Register

Jun 19, 2026 — Black Hat Europe 2026 Arsenal CFP closes
Event December 7-10, ExCeL London. Tool-demo track for offensive/defensive practitioners. Event page

Jun 30, 2026 — BSides Canberra 2026 CFP closes
Event Sep 24-26 at the National Convention Centre, Canberra. Anchor Australian hacker conference with strong coordinated-disclosure track. Submit

Jul 9, 2026 — USENIX Security '26 Cycle 2 embargo deadline
Academic disclosure embargo gate for top-tier security venue. Event in Baltimore Aug 12-14. Call for papers

Aug 6-9, 2026 — DEF CON 34
Las Vegas Convention Center. Theme "Agency". Policy Village and AI Village confirmed. Policy CFP closed May 1; AI Village submissions still open. DEF CON 34 Policy

Aug 12-14, 2026 — USENIX Security '26
Baltimore, MD. Premier academic venue with active disclosure-policy track. Conference page

Aug 19, 2026 — NDSS 2027 Fall Cycle CFP closes
Event March 22-26 2027, Seoul. Top-tier network and system security venue for VDP-adjacent research. CFP

Aug 25, 2026 — USENIX Security '27 Cycle 1 paper submission deadline
Event Aug 11-13 2027, Denver. Primary academic venue for vulnerability research and disclosure case studies. Conference page

Oct 14-16, 2026 — AISA CyberCon Melbourne
Melbourne Convention & Exhibition Centre. Australia's largest cybersecurity conference; principal policy + practitioner stage for ANZ. Register

Nov 4-5, 2026 — ENISA European Cybersecurity Skills Conference
Larnaca, Cyprus. EU policy on cyber workforce, certification, and disclosure ecosystem — touches NIS2 / CRA implementation. Event page

Nov 15-19, 2026 — 33rd ACM CCS 2026
World Forum, The Hague, NL. Top-tier academic security conference co-located with European cyber-policy infrastructure. Conference page

Nov 17-18, 2026 — CODE BLUE 2026
Bellesalle Takadanobaba, Tokyo. Japan's flagship international security conference; APAC voice in vulnerability research / disclosure norms. Conference page

Nov 18, 2026 — Aspen Cyber Summit
Capital Turnaround, Washington DC. US public-private cyber-policy convening; senior CISA / DOJ / Hill engagement. Event page

Dec 7-10, 2026 — Black Hat Europe 2026
ExCeL London. EU industry policy + technical track converge here; closest European peer to Black Hat USA for the disclosure community. Event page

Dec 27-30, 2026 — 40C3 Chaos Communication Congress
Hamburg Messe, Hamburg. Anchor European hacker congress; longstanding free-software, civil-liberties, and disclosure-ethics venue. Event page

Summer 2026 — RSAC 2027 Call for Submissions opens
San Francisco event Apr 5-8 2027. Pattern from RSAC26 = July open, ~Aug 18 close. Submissions page

H2 2026 (TBD) — Pall Mall Process next diplomatic conference
Venue not yet public. Prior plenaries: London 2024, Paris 2026. Code of Practice on commercial cyber intrusion capabilities now signed by 25 states including the US. Pall Mall Declaration

---

International Developments

Jun 10, 2026 — UK Cyber Security and Resilience Bill: Commons Report Stage + Third Reading
Bill heads to Lords after this milestone. Royal Assent expected late 2026; phased implementation through 2028. Expands NIS scope to MSPs and data centres. Bill collection

Jun 2026 — Canada Bill C-8 (Critical Cyber Systems Protection Act): Senate passage / Royal Assent imminent
Passed House Third Reading Mar 26 2026; Senate passage reported June 2026. Regulations + critical-cyber-systems designations follow. No s.342.1 researcher-exception identified — gap vs UK/US trajectory. Bill C-8

Jul 20-24, 2026 — UN Global Mechanism on ICT Security: First Substantive Plenary
OEWG concluded July 2025; new single-track permanent mechanism's first substantive plenary. The new venue for state-level negotiations on cyber norms, application of international law, vulnerability-equities, and capacity building. Process tracker

Sep 30, 2026 (and annually) — CIRMP Annual Reports due under Australia's SOCI Act
Responsible Entities must submit via the approved form on the CISC website within 90 days of FY end. Locked-in annual cadence for critical-infrastructure cyber risk management programs. CISC reforms page

H2 2026 — Australia SOCI Act: Ministerial Directions Powers + Enhanced CIRMP Rules finalisation
Most substantial reshaping of AU critical-infrastructure cyber regime since 2021-2023, expanding sectoral scope (DNS, water, freight, broadcasting). Home Affairs consultation

H2 2026 — UK Computer Misuse Act statutory defence: National Security Bill introduction
Government commitment confirmed May 13 King's Speech. First reading expected autumn 2026. Statutory defence as drafted covers only ~300 chartered researchers (0.4% of UK cyber workforce) and excludes bug bounty, PoC development, academic research, agentic AI tooling. The Record

H2 2026 — ENISA NIS2 Technical Implementation Guidance v2 + sectoral rollout
ENISA's 170-page Technical Implementation Guidance (Jun 2025) is the live reference for Commission Implementing Regulation (EU) 2024/2690; updates and sector mappings continue through 2026-2027. Defines what "appropriate" vulnerability handling looks like for in-scope NIS2 entities. ENISA guidance

Q4 2026 — Final NIS2 transposition cluster (FR, IE, LU, PL, ES expected)
22 of 27 EU member states have transposed; final cluster expected through Q4 completes the harmonized incident-reporting regime atop NIS2. NIS2 status

Late 2026 — EU Cybersecurity Reserve operational under Cyber Solidarity Act
€36M Cybersecurity Reserve of trusted incident-response providers expected fully operational by end-2026. Standing pool of EU-funded responders for significant cyber incidents at Member State or EU-institution request. Cyber Solidarity

Dec 11, 2026 — EU CRA delegated act on EUCC presumption of conformity
Delegated act linking the European Cybersecurity Certification (EUCC) Common Criteria scheme to CRA conformity. Defines which certified products get presumption-of-conformity treatment — affects how vendor patches and assurance claims are weighted. EU CRA

Dec 31, 2026 — UN Cybercrime Convention (Hanoi) closes for signature
40 ratifications required for entry into force; 3 deposited so far (Qatar, Azerbaijan, Vietnam). Articles 6-10 risk criminalizing unauthorized-access research without sufficient safeguards. UNODC convention page

Mar 4, 2026+ (live) — Australia Cyber Security Act 2024: Smart Device Security Standards
IoT security standards commenced for critical infrastructure. Ransomware payment reporting (72h, AUD $3M+ turnover) moved from education-first to enforcement phase. Home Affairs

2026 — Counter Ransomware Initiative 6th Summit (location TBC)
5th Summit held in Singapore Oct 24 2025 (first outside the US); 74 member countries + international organisations; 6th Summit expected late 2026. CRI working groups shape software-supply-chain guidance and incident-reporting norms feeding into national VDP regimes. CRI

2026-2027 — EUVD seeking Top-Level Root CNA status
ENISA's European Vulnerability Database (launched May 2025) seeking Top-Level Root CVE Numbering Authority status alongside MITRE and CISA. First non-US Top-Level Root would be a structural shift in CVE program governance. EUVD

2026-2027 — Pall Mall Process Industry Guidelines drafted
Operationalization following Paris 2026 conference. Affects offensive-tool vendor due diligence with indirect effects on legitimate research tooling. Lawfare analysis

---

Pending / TBD (2026)

H2 2026 — H.R. 872 (Federal Contractor Cybersecurity Vulnerability Reduction Act)
Senate Homeland Security and Governmental Affairs Committee markup expected, likely tied to NDAA vehicle. Would mandate VDPs for federal contractors at and above the $250K simplified acquisition threshold — single largest VDP expansion since BOD 20-01. H.R. 872

H2 2026 — H.R. 8800 (FY27 NDAA): Title XV cyber provisions
Chairman's Mark passed House Armed Services Committee Jun 4-5 2026; floor vote summer 2026; Senate Armed Services markup July; conference fall 2026. Historically the highest-leverage federal vehicle for VDP-related amendments and DoD/DIB-VDP expansion. House Armed Services markup

H2 2026 — Active Cyber Defense Certainty Act (ACDC) — reintroduced May 18, 2026
15 bipartisan cosponsors; referred to House Judiciary. Most significant CFAA amendment proposal in years — creates "hack back" carve-out with FBI pre-notification gate, with direct implications for the boundary between defensive research and unauthorized access. Sponsor release

Jul 2026 — Ofcom Online Safety Act: Categorisation Register publication
Determines which services face Category 1/2A/2B duties. Indirectly affects vulnerability-reporting expectations for designated services. Ofcom roadmap

H2 2026 — Australia Privacy Act Tranche 2 exposure draft expected
AG Rowland confirmed Tranche 2 is progressing; expected within current parliamentary term. Privacy-tort cause of action would change legal risk calculus for security researchers handling personal data during disclosure. Privacy Act review

Summer-Autumn 2026 — UK Cyber Security and Resilience Bill: Royal Assent
Following Jun 10 Report Stage + Third Reading. Phased implementation through 2028. Expands NIS scope to MSPs and data centres. Bill page

H2 2026 — California SB 53: Transparency in Frontier AI Act enforcement build-out
Enacted Sep 29 2025 and in force from Jan 1 2026 — first annual transparency reports due 2026; Cal OES critical-incident-reporting infrastructure stands up across H2. Creates a researcher/employee disclosure channel distinct from CFAA. CA SB 53

H2 2026 — EU AI Act Digital Omnibus formal adoption
Political agreement reached May 7 2026 pushed Annex III high-risk AI rules from Aug 2 2026 to Dec 2 2027. Formal Council and Parliament adoption expected this half. Council of EU

---

This page is maintained by disclose.io as a community resource. Have a date we should add? Reply to any Policy Pulse issue or reach out on Twitter/X.