CISA’s 2020 directive required that federal agencies under its authority develop policies allowing researchers to report bugs and flaws in public-facing systems.
Article Link: NTSB Only Federal Agency Lacking a CISA-Mandated Vulnerability Disclosure Policy - Nextgov