VDR-RPT-NIDMUST NOTAll frameworksImplementation guide coming soon

Responsible Disclosure

Vulnerability Detection and Response (VDR) · Reporting

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST NOT
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-RPT-NID is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST NOT irresponsibly disclose specific sensitive information about vulnerabilities that would likely lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.

Defined terms in this requirement

All Necessary Parties Likely Provider Vulnerability

Notes

This requirement will be superseded in the event of formal action related to an investigation or corrective action plan.

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.