(a) DefinitionsIn this section:
(1) Bug bounty program
The term “bug bounty program” means a program under which an approved individual, organization, or company is temporarily authorized to identify and report vulnerabilities of internet-facing information technology of the Department in exchange for compensation.
(2) Information technology
The term “information technology” has the meaning given such term in section 11101 of title 40.
(b) Vulnerability Disclosure Policy
(1) In generalNot later than 180 days after December 23, 2022, the Secretary shall design, establish, and make publicly known a Vulnerability Disclosure Policy (referred to in this section as the “VDP”) to improve Department cybersecurity by—
(2) Annual reportsNot later than 180 days after the establishment of the VDP pursuant to paragraph (1), and annually thereafter for the following 5 years, the Secretary shall submit a report on the VDP to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Select Committee on Intelligence of the Senate, the Committee on Foreign Affairs of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Permanent Select Committee on Intelligence of the House of Representatives that includes information relating to—
(C)
the current number of outstanding previously unidentified security vulnerabilities and Department of State remediation plans;
(D)
the average time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(E)
the resources, surge staffing, roles, and responsibilities within the Department used to implement the VDP and complete security vulnerability remediation;
(F)
how the VDP identified vulnerabilities are incorporated into existing Department vulnerability prioritization and management processes;
(c) Bug bounty program report
(1) In general
Not later than 180 days after December 23, 2022, the Secretary shall submit a report to Congress that describes any ongoing efforts by the Department or a third-party vendor under contract with the Department to establish or carry out a bug bounty program that identifies security vulnerabilities of internet-facing information technology of the Department.
(2) ReportNot later than 180 days after the date on which any bug bounty program is established, the Secretary shall submit a report to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Foreign Affairs of the House of Representatives, and the Committee on Homeland Security of the House of Representatives regarding such program, including information relating to—
(A) the number of approved individuals, organizations, or companies involved in such program, disaggregated by the number of approved individuals, organizations, or companies that—
(C)
the number of previously unidentified security vulnerabilities remediated as a result of such program;
(D)
the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans for such outstanding vulnerabilities;
(E)
the average length of time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(H)
the public accessibility of contact information for the Department regarding the bug bounty program;
(I)
the incorporation of bug bounty program identified vulnerabilities into existing Department vulnerability prioritization and management processes; and
(J)
any challenges in implementing the bug bounty program and plans for expansion or contraction in the scope of the bug bounty program across Department information systems.