On March 19th, 2021 DHS published a 60-day information collection request (ICR) notice to support the expansion of their Vulnerability Discovery program (VDP) to other agencies in the federal government. The comment period closed on the ICR notice this week. Only one additional comment was received beyond the two I reported on over a month ago. The last comment comes from CERT/CC at the Carnegie Mellon University's Software Engineering Institute.
CERT/CC’s comment contains a very good description of the type of information needed in an actionable vulnerability report.
CISA will not evaluate the comments received and prepare
their 30-day ICR notice. I suspect that there will be only a relatively short
delay until that notice is published in the Federal Register. Typically this
takes a couple of months, but has been known to take years on more
controversial ICRs.
Posts
No comments:
Post a Comment