VDR-RPT-RPDMAYAll frameworksImplementation guide coming soon

Responsible Public Disclosure

Vulnerability Detection and Response (VDR) · Reporting

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MAY
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-RPT-RPD is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MAY responsibly disclose vulnerabilities publicly or with other parties if the provider determines doing so will NOT likely lead to exploitation.

Defined terms in this requirement

Likely Provider Responsibly Vulnerability

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.