U.S. CODE
Rulings
AD/CVD
Notices
HTSUS
U.S. Code
Regs
More
Ports
About
Updates
Apps
Larger font
Smaller font
CustomsMobile Pro
beta now open!
Apply for a FREE beta account. Spaces are limited so apply today.
SIGNUP FOR BETA
SEARCH
Toggle Dropdown
Search US Code
Search Leg. Notes
Sort by Rank
Titles Ascending
Titles Descending
10 per page
25 Result/page
50 Result/page
U.S Code last checked for updates: Nov 26, 2024
All Titles
Title 22
Chapter 110
§ 10305. Establishment and expan...
§ 10307. Digital Connectivity an...
§ 10305. Establishment and expan...
§ 10307. Digital Connectivity an...
U.S. Code
Notes
§ 10306.
Vulnerability disclosure policy and bug bounty program report
(a)
Definitions
In this section:
(1)
Bug bounty program
(2)
Information technology
(b)
Vulnerability Disclosure Policy
(1)
In general
Not later than 180 days after
December 23, 2022
, the Secretary shall design, establish, and make publicly known a Vulnerability Disclosure Policy (referred to in this section as the “VDP”) to improve Department cybersecurity by—
(A)
creating Department policy and infrastructure to receive reports of and remediate discovered vulnerabilities in line with existing policies of the Office of Management and Budget and the Department of Homeland Security Binding Operational Directive 20–01 or any subsequent directive; and
(B)
providing a report on such policy and infrastructure to Congress.
(2)
Annual reports
Not later than 180 days after the establishment of the VDP pursuant to paragraph (1), and annually thereafter for the following 5 years, the Secretary shall submit a report on the VDP to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Select Committee on Intelligence of the Senate, the Committee on Foreign Affairs of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Permanent Select Committee on Intelligence of the House of Representatives that includes information relating to—
(A)
the number and severity of all security vulnerabilities reported;
(B)
the number of previously unidentified security vulnerabilities remediated as a result;
(C)
the current number of outstanding previously unidentified security vulnerabilities and Department of State remediation plans;
(D)
the average time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(E)
the resources, surge staffing, roles, and responsibilities within the Department used to implement the VDP and complete security vulnerability remediation;
(F)
how the VDP identified vulnerabilities are incorporated into existing Department vulnerability prioritization and management processes;
(G)
any challenges in implementing the VDP and plans for expansion or contraction in the scope of the VDP across Department information systems; and
(H)
any other topic that the Secretary determines to be relevant.
(c)
Bug bounty program report
(1)
In general
(2)
Report
Not later than 180 days after the date on which any bug bounty program is established, the Secretary shall submit a report to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Foreign Affairs of the House of Representatives, and the Committee on Homeland Security of the House of Representatives regarding such program, including information relating to—
(A)
the number of approved individuals, organizations, or companies involved in such program, disaggregated by the number of approved individuals, organizations, or companies that—
(i)
registered;
(ii)
were approved;
(iii)
submitted security vulnerabilities; and
(iv)
received compensation;
(B)
the number and severity of all security vulnerabilities reported as part of such program;
(C)
the number of previously unidentified security vulnerabilities remediated as a result of such program;
(D)
the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans for such outstanding vulnerabilities;
(E)
the average length of time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(F)
the types of compensation provided under such program;
(G)
the lessons learned from such program;
(H)
the public accessibility of contact information for the Department regarding the bug bounty program;
(I)
the incorporation of bug bounty program identified vulnerabilities into existing Department vulnerability prioritization and management processes; and
(J)
any challenges in implementing the bug bounty program and plans for expansion or contraction in the scope of the bug bounty program across Department information systems.
(
Pub. L. 117–263, div. I, title XCV, § 9509
,
Dec. 23, 2022
,
136 Stat. 3907
.)
cite as:
22 USC 10306
.list_box li,p,.cm-search-info,.cm-search-detail,.abt span,.expand-collapse_top
Get the CustomsMobile app!