PRIA Logo
Title 22Foreign Relations and IntercourseRelease 119-73not60

§10306 Vulnerability Disclosure Policy and Bug Bounty Program Report

Title 22 › Chapter 110— INFORMATION SECURITY AND CYBER DIPLOMACY › § 10306

Last updated Apr 5, 2026|Official source

Summary

Create and publish a Vulnerability Disclosure Policy (VDP) within 180 days after December 23, 2022 to make the Department’s internet-facing systems safer. The VDP must set up a way to receive reports of security problems and fix them in line with existing OMB and DHS guidance. Within 180 days after the VDP is ready, and then once a year for the next 5 years, the Secretary must report about the VDP to these Senate committees: Foreign Relations; Homeland Security and Governmental Affairs; Select Committee on Intelligence; and these House committees: Foreign Affairs; Homeland Security; Permanent Select Committee on Intelligence. Those reports must cover counts and severity of reports, how many new problems were fixed, outstanding problems and fix plans, average fix time, staff and resources used, how findings are prioritized, implementation challenges, and any other relevant details. Bug bounty program: outside testers can be temporarily approved to find and report problems in exchange for pay. Within 180 days after December 23, 2022, the Secretary must tell Congress about any work to set up or run such a program. Then, within 180 days after any bug bounty program starts, the Secretary must report to the Senate Committees on Foreign Relations and Homeland Security and Governmental Affairs and to the House Committees on Foreign Affairs and Homeland Security. That report must include numbers of participants (registered, approved, who reported, who were paid), counts and severity of findings, fixes made and outstanding issues with plans, average fix time, what payments were used, lessons learned, public contact info, how findings are folded into existing processes, and challenges or plans to change the program’s scope.

Full Legal Text

Title 22, §10306

Foreign Relations and Intercourse — Source: USLM XML via OLRC

(a)In this section:
(1)The term “bug bounty program” means a program under which an approved individual, organization, or company is temporarily authorized to identify and report vulnerabilities of internet-facing information technology of the Department in exchange for compensation.
(2)The term “information technology” has the meaning given such term in section 11101 of title 40.
(b)(1)Not later than 180 days after December 23, 2022, the Secretary shall design, establish, and make publicly known a Vulnerability Disclosure Policy (referred to in this section as the “VDP”) to improve Department cybersecurity by—
(A)creating Department policy and infrastructure to receive reports of and remediate discovered vulnerabilities in line with existing policies of the Office of Management and Budget and the Department of Homeland Security Binding Operational Directive 20–01 or any subsequent directive; and
(B)providing a report on such policy and infrastructure to Congress.
(2)Not later than 180 days after the establishment of the VDP pursuant to paragraph (1), and annually thereafter for the following 5 years, the Secretary shall submit a report on the VDP to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Select Committee on Intelligence of the Senate, the Committee on Foreign Affairs of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Permanent Select Committee on Intelligence of the House of Representatives that includes information relating to—
(A)the number and severity of all security vulnerabilities reported;
(B)the number of previously unidentified security vulnerabilities remediated as a result;
(C)the current number of outstanding previously unidentified security vulnerabilities and Department of State remediation plans;
(D)the average time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(E)the resources, surge staffing, roles, and responsibilities within the Department used to implement the VDP and complete security vulnerability remediation;
(F)how the VDP identified vulnerabilities are incorporated into existing Department vulnerability prioritization and management processes;
(G)any challenges in implementing the VDP and plans for expansion or contraction in the scope of the VDP across Department information systems; and
(H)any other topic that the Secretary determines to be relevant.
(c)(1)Not later than 180 days after December 23, 2022, the Secretary shall submit a report to Congress that describes any ongoing efforts by the Department or a third-party vendor under contract with the Department to establish or carry out a bug bounty program that identifies security vulnerabilities of internet-facing information technology of the Department.
(2)Not later than 180 days after the date on which any bug bounty program is established, the Secretary shall submit a report to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Foreign Affairs of the House of Representatives, and the Committee on Homeland Security of the House of Representatives regarding such program, including information relating to—
(A)the number of approved individuals, organizations, or companies involved in such program, disaggregated by the number of approved individuals, organizations, or companies that—
(i)registered;
(ii)were approved;
(iii)submitted security vulnerabilities; and
(iv)received compensation;
(B)the number and severity of all security vulnerabilities reported as part of such program;
(C)the number of previously unidentified security vulnerabilities remediated as a result of such program;
(D)the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans for such outstanding vulnerabilities;
(E)the average length of time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(F)the types of compensation provided under such program;
(G)the lessons learned from such program;
(H)the public accessibility of contact information for the Department regarding the bug bounty program;
(I)the incorporation of bug bounty program identified vulnerabilities into existing Department vulnerability prioritization and management processes; and
(J)any challenges in implementing the bug bounty program and plans for expansion or contraction in the scope of the bug bounty program across Department information systems.

Legislative History

Notes & Related Subsidiaries

Statutory Notes and Related Subsidiaries

Definitions “Department” and “Secretary” as used in this section mean the Department and Secretary of State, unless otherwise specified, see section 9002 of Pub. L. 117–263, set out as a note under section 2651 of this title.

Reference

Citations & Metadata

Citation

22 U.S.C. § 10306

Title 22Foreign Relations and Intercourse

Last Updated

Apr 5, 2026

Release point: 119-73not60