Skip to Content

We invite you to try out our new beta eCFR site at We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Feedback' button on the bottom right of each page!


Request for Comments on Improving Vulnerability Identification, Management, and Remediation

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Office of Management and Budget.


Notice of public comment period.


The Office of Management and Budget (OMB) is seeking public comment on a draft memorandum titled, “Improving Vulnerability Identification, Management, and Remediation.”


The 30-day public comment period on the draft memorandum begins on the day it is published in the Federal Register and ends 30 days after date of publication in the Federal Register.


Interested parties should provide comments via electronic mail to The Office of Management and Budget is located at 725 17th Street NW, Washington, DC 20503. No physical copies will be accepted.

Start Further Info


Matthew T. Cornelius, OMB, at 202.881.7386 or

End Further Info End Preamble Start Supplemental Information


The Office of Management and Budget (OMB) is proposing guidance to Federal agencies on the publication and implementation of Vulnerability Disclosure Policies (VDPs). VDPs, which are processes for the intake and addressing of security vulnerabilities uncovered by security researchers and the public, are among the most effective methods for obtaining new insights regarding security vulnerability information. They also provide protection for those who uncover these vulnerabilities by differentiating between acceptable and unacceptable means of gathering security information (also known as “authorizing good faith security research”). VDPs make it easier for the security research community to report vulnerabilities to appropriate agency contacts, who can then use the reports to address vulnerabilities of which they may not have been aware.

Authority for this notice is granted under the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3553-3554).

Start Signature

Suzette Kent,

Federal Chief Information Officer, Office of the Federal Chief Information Officer.

End Signature End Supplemental Information

[FR Doc. 2019-25715 Filed 11-26-19; 8:45 am]