VDR-RPT-HLOSHOULDAll frameworksImplementation guide coming soon

High-Level Overviews

Vulnerability Detection and Response (VDR) · Reporting

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: SHOULD
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-RPT-HLO is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers SHOULD include high-level overviews of ALL vulnerability detection and response activities conducted during this period for the cloud service offering; this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc.

Defined terms in this requirement

Cloud Service Offering Provider Vulnerability Vulnerability Detection Vulnerability Response

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.