Statewide Vulnerability Disclosure Program BOD 25-3

​​​​​​​​Revision History

  • Date Issued: 10/07/2025
  • Expiration Date: This Directive remains in effect until officially modified or revoked.
  • Version 1.0
  • Approved by Katie Savage, Secretary & State Chief Information Officer, Maryland Department of Information Technology and James Saunders, State Chief Information Security Officer

  1. Purpose

    2. The objective of this Binding Operational Directive (BOD) is to define and ensure deployment and adherence to the Vulnerability Disclosure Program (VDP​)​, as the formal authorized means for external security researchers to engage in the good faith identification of potential security vulnerabilities in State owned, operated, and/or managed systems as defined further within this document and via established and published Maryland State policy. The VDP further provides for the process by which said vulnerabilities once reported are reviewed, verified, and remediated accordingly.

    The VDP serves as a crowdsourced, "see something, say something", initiative where an organization invites external security researchers to find and report security vulnerabilities in their systems. This will facilitate the State’s awareness of otherwise unknown vulnerabilities, enhancing the State's ability to identify and remediate vulnerabilities before malicious actors can exploit them, augmenting existing vulnerability management efforts, and protecting State data and services.

    This directive mandates participation and establishes the required actions for entities within the VDP framework.

  2. ​ Background

    3. Consistent with recommended best practices established by the federal Cybersecurity and Infrastructure Security Agency (CISA) ( CISA Binding Operational Directive 20-01​), and the State's commitment to robust cybersecurity, the Maryland Department of Information Technology (DoIT) Office of Security Management (OSM) is establishing a statewide VDP. The VDP provides a formal framework for the method in which external security researchers can report vulnerabilities in good faith and enable State Agencies and applicable organizations, as defined below and within existing policy, to review, validate, and remediate reported items.

  3. Authority

    4. Md. Code, State Finance & Procurement § 3.5-2A-04(A)(1)(i): Assigns DoIT OSM responsibility for directing, coordinating, and implementing cybersecurity strategy and policy for State government units.

    Md. Code, State Finance & Procurement § 3.5-2A-04(B)(7): Assigns the State CISO authority to identify cybersecurity risks to networkMaryland and take action to mitigate the threats.

    Md. Code, State Finance & Procurement § 3.5-404(D): Establishes the requirement for Local entities that use networkMaryland to certify compliance with minimum security standards.

  4. Scope

    5. This directive applies to the following organizations (hereafter collectively referred to as "Entities"):

      4.1 State Government: Unless otherwise expressly exempted, all agencies or units of the Executive Branch of State government and all Maryland State departments, agencies, boards, and commissions that meet either of the following criteria:

        a) Own, operate, or manage systems directly connected to and utilizing services provided via networkMaryland; or

        b) Utilize official State domain names provided, managed, or delegated by the State, including but not limited to: *.maryland.gov, *.md.gov, *.state.md.us.

      4.2 Local Government & Other Eligible Entities: All Maryland local government entities (including counties, municipalities, boards, commissions, and other political subdivisions of the State), as well as any other non-Executive Branch agencies (e.g., quasi-governmental organizations, educational institutions) that meet either of the following criteria:

        a) Own, operate, or manage systems directly connected to and utilizing services provided via networkMaryland; or

        b) Utilize official State domain names provided, managed, or delegated by the State, including but not limited to: *.maryland.gov, *.md.gov, *.state.md.us.

      VDP Scope Context: The VDP itself, managed by DoIT OSM, covers publicly accessible systems and services associated with all applicable Entities defined in 4.1 and 4.2. The specific scope for external security researchers (detailing target systems, permitted testing, out-of-scope activities, etc.) will be maintained in the official Maryland VDP. This directive establishes response and remediation actions for Entities when vulnerabilities concerning their assets (that fall within the VDP's scope) are reported through the official VDP channel managed by DoIT OSM.

  5. Directives

    6. Upon the effective date of the BOD, applicable Entities must undertake the following actions:

      5.1 Acknowledge VDP Directive: Acknowledge this directive by providing one or more Points of Contact (POC) emails and phone numbers to [email protected] within 30 days of the VDP BOD's publication.

      5.2 Report Acknowledgement of Vulnerability Reports: Acknowledge receipt of each vulnerability report to DoIT OSM within 2 business days by responding to the communication delivering it.

      5.3 Coordinate Remediation: Actively coordinate remediation planning, execution, and validation efforts with DoIT OSM. This includes providing necessary information for risk assessment and remediation tracking.

      5.4 Remediate Vulnerabilities within Established Timelines: Use best efforts to remediate validated vulnerabilities according to severity-based timelines established and communicated by DoIT OSM. DoIT OSM will provide specific remediation targets based on the final severity assessment (Critical, High, Medium, Low). In the event remediation is not possible, Entities must seek risk acceptance following the established processes. These timelines and processes will align with State’s risk management policies and established frameworks (e.g., Common Vulnerability Scoring System (CVSS)).

      5.5 Confirm Remediation: Notify DoIT OSM upon completion of remediation actions and cooperate with DoIT OSM to validate the effectiveness of the remediation.

      5.6 Implement VDP Visibility Best Practices: Collaborate with DoIT OSM to implement technical best practices that signal the availability of the VDP (e.g., adding a link to the VDP within website footers of covered websites; etc.).

  6. Safe Harbor

    7. Maryland recognizes the importance of external security researchers in identifying and reporting vulnerabilities that could impact our systems, constituents, and data. We are committed to working with the security community to strengthen our defenses and appreciate responsible disclosures made in good faith. As such, the VDP will include a Safe Harbor for external security researchers who act in good faith.

    All research under this VDP must be conducted in good faith. "Good faith” means security research conducted with the intent to follow the VDP without any malicious motive and solely for the purpose of testing or investigating a security flaw or vulnerability and disclosing those findings in alignment with the VDP. The security researcher’s actions should be consistent with an attempt to improve security and to avoid doing harm, either by unwarranted invasions of privacy or causing damage to property.

    ​If DoIT and OSM determine that research is conducted in good faith, it will consider that security research to be authorized, will work with the external security researcher(s) to understand and resolve reports quickly, and will not recommend legal action related to the security research.

    Should legal action be initiated by a third party against the security researcher for research conducted in accordance with the VDP, DoIT and OSM will make this authorization known. External security researchers must comply with all applicable Federal, State, and local laws in connection with the security research activities or other participation in the VDP.

    By participating in our VDP, external security researchers acknowledge and agree to the VDP’s terms. If there are questions about the scope or interpretation of this Safe Harbor, we encourage external security researchers to seek clarification before conducting testing.

  7. ​ DoIT OSM Responsibilities

    8. DoIT OSM is responsible for the central management and execution of the statewide VDP, which includes:

    • ​​Maintaining the VDP program and reporting platform (currently facilitated via Bugcrowd).
    • Receiving, triaging, and validating vulnerability submissions from external security researchers.
    • Determining the severity rating of validated vulnerabilities.
    • Communicating validated vulnerability reports and associated remediation timelines to the affected Entities.
    • Tracking remediation progress across Entities.
    • Providing subject matter expertise and guidance to Entities upon request.
    • Coordinating validation of remediation actions.
    • Maintaining overall program documentation and reporting.

  8. Compliance, Reporting, and Enforcement

    9. Compliance with this directive is mandatory. Non-compliance may result in further action as deemed appropriate by the State CISO under previously mentioned authorities in Section 3.

  9. Effective Date and Duration

    10. This Binding Operational Directive is effective upon signature and remains in effect until rescinded or superseded.

  10. Contact Information

    11. For technical interpretation or procedural requirements of this BOD, please contact DoIT OSM at: [email protected]​ov. For compliance questions regarding BOD, please contact the Governance, Risk & Compliance (GRC) Directorate in the OSM at: [email protected].

    To learn more visit the Vulnerability Disclosure Program’s ​frequently asked questions​.

    If you believe you have discovered a vulnerability in a system covered by this program, please submit your report to the Vulnerability Disclosure Program.​
    ​​

Department ofInformation Technology
​​​​100 Community Place, Crownsville, MD 21032

300-301 West Preston Street, Baltimore MD 21201

Phone: 410-697-9700
Maryland Relay: 7-1-1​