Wire · founder news, decoded · regulatory
CISA folds its own hard-won lessons into coordinated vulnerability disclosure guidance
CISA published coordinated vulnerability disclosure guidance for software vendors, drawing directly from its own May 2026 incident where a researcher's nine emails went unanswered and credentials leaked via public GitHub. The guidance maps CISA's operational failures—undefined reporting channels, no cloud incident playbook, slow key rotation—into concrete recommendations: security.txt files, 2-3 day acknowledgement windows, separated disclosure/support channels, and safe-harbour language for researchers.
This Wire brief sits within Fusion42's coverage of Cybersecurity. Wire is Fusion42's founder-focused intelligence feed: each story is connected to the funds and startups it names — every one with a live profile on Raise or Scout — so founders can follow the capital and the momentum behind the headline rather than just the headline itself. Wire analysis is one of the live surfaces Arthur, Fusion42's AI co-founder, reasons over.
The Wire takeaway
If you sell software to US federal agencies or the EU, you now have a public playbook for how to accept vulnerability reports—and CISA has just made it a compliance requirement. The path from researcher to fix that took CISA nine unanswered emails is now the thing you cannot do.
Read the full story at helpnetsecurity.com →
Topics: Cybersecurity · vulnerability-disclosure · security-incident-response · cisa-guidance · secrets-scanning · federal-compliance