CMS Vulnerability Disclosure Program (VDP)

What is the Vulnerability Disclosure Program (VDP)?

The CMS Vulnerability Disclosure Program (VDP) is an agency-wide initiative that allows external security researchers to report potential vulnerabilities found on the Centers for Medicare & Medicaid Services (CMS) public-facing applications and websites.

It operates 365 days a year and is open to the public for continuous testing of CMS-managed websites and their subdomains. Through this program, CMS works with independent security researchers to identify and report vulnerabilities before malicious actors can exploit them. It’s a proactive way to strengthen our cybersecurity posture, promote transparency, and protect the sensitive data of the millions of individuals served by CMS programs.

What is the Bug Bounty Program?

The Bug Bounty Program is an extension of the VDP that rewards external security researchers for responsibly discovering and reporting valid vulnerabilities on CMS public-facing websites.

While the VDP provides a formal process for submitting issues, the Bug Bounty adds an incentive structure for high-quality, unique findings that help CMS reduce risk. Together, these programs create a continuous cycle of discovery and validation that enables timely remediation by system teams and keeps CMS systems secure and resilient.

Why do we have these programs?

The CMS VDP was established to meet federal cybersecurity mandates under:

• OMB Memorandum M-20-32 – “Improving Vulnerability Identification, Management, and Remediation,” which requires all federal agencies to maintain a VDP.
   
• Binding Operational Directive (BOD) 20-01 – “Develop and Publish a Vulnerability Disclosure Policy,” issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

These directives require federal agencies to:

• Establish a Vulnerability Disclosure Policy that applies to their internet-accessible federal information systems (such as public websites and digital services).
• Provide clear channels for the public to report vulnerabilities safely and legally.
• Implement ongoing remediation and response processes to continuously strengthen the security of federal systems and data.

In alignment with these requirements, CMS implemented both a VDP and Bug Bounty program to support proactive identification and resolution of security vulnerabilities across its internet-accessible federal information systems.

What systems are included?

The CMS VDP and Bug Bounty programs are always on for all CMS public-facing websites and their subdomains. There are not scheduled test windows — external security researchers may test any CMS public-facing domain at any time. All in-scope assets are continuously monitored, triaged, and remediated by system teams.

How do researchers submit reports?

Researchers submit vulnerabilities through the official CMS Vulnerability Disclosure Program portal. Each submission is reviewed by the CMS cybersecurity team, validated for accuracy and scope, and then assigned to the appropriate system owner for remediation.

Reports are handled in accordance with CMS policy and triaged based on severity—Critical, High, Moderate, or Low—using the same remediation timelines outlined in the Plan of Action and Milestones (POA&M) Handbook.

For details on submission, visit the CMS Vulnerability Disclosure Policy Page.

Who manages the programs?

The CMS Vulnerability Disclosure Program (VDP) and Bug Bounty Program are managed through the CMS Cybersecurity Integration Center (CCIC) under the Information Security & Privacy Group (ISPG).

The VDP Management Team collaborates with trusted partners and internal stakeholders to:

• Monitor continuous testing on CMS public-facing systems
• Validate and triage reports from external security researchers
• Coordinate remediation with system teams and business owners
• Track compliance with federal vulnerability management mandates

What are the results of vulnerability submissions?

Once a vulnerability report is validated, the following actions occur immediately:

• The VDP team notifies the respective system team of any verified issues.
• The system team begins remediation or mitigation efforts based on the severity of the finding.
• If an issue is not sufficiently resolved or mitigated within 5 days for Critical and 25 days for all other severities, a Plan of Action and Milestones (POA&M) is issued to track remediation progress.

System Owners must “Correct identified security-related information system flaws on production equipment within five (5) business days for critical findings and within twenty-five (25) calendar days for all others” according to the CMS Acceptable Risk Safeguards (ARS).

What are the remediation timelines?

Following the discovery and validation of a vulnerability through the VDP or Bug Bounty program, CMS applies the same remediation timelines outlined in the Plan of Action and Milestones (POA&M) Handbook.

After positive identification of a confirmed finding, all weaknesses must be documented in a POA&M and remediated or mitigated within the following timelines:

• Critical - within 15 calendar days
• High - 30 days
• Moderate - 90 days
• Low - within 365 days

It’s important to note that the remediation timelines will vary because findings must first go through multiple review stages.

Initially, the external VDP/ Bug Bounty Team reviews and validates each report. Then, the CMS VDP Team conducts its own independent review to confirm the finding’s validity before forwarding it to the system team for action. Therefore, the official remediation timeline begins on the date the finding is reported to the system team via email.

If the issue is not remediated within the required period, a CMS Assessment and Audit Tracking (CAAT) file and corresponding POA&M are generated in CFACTS to track the remaining mitigation activities until closure.

Need help?

For any questions regarding the program, please email: CMSVDP@cms.hhs.gov.