We the undersigned organizations, members of the Hacking Policy Council, respectfully request regulatory guidance from the Office of Foreign Assets Control (OFAC) regarding coordinated vulnerability disclosure processes and sanctions. We urge the Department to clarify organizations’ obligations when receiving a cybersecurity vulnerability disclosure from individuals in “comprehensively sanctioned” countries and regions, and the organization’s ability to ask follow-up questions regarding that vulnerability. Vulnerability disclosures are communications of information, without remuneration, performed to ensure and promote the security of information systems. We commend OFAC for stating in FAQ 448 that the “U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors.”1 We recognize that this is aligned with the broader U.S. government policy of reducing software vulnerabilities by promoting adoption of coordinated vulnerability disclosure processes in the public and private sectors.2It would be beneficial for OFAC to clarify that such communications from individuals in comprehensively sanctioned areas are not restricted and are exempt from sanctions.

Read Next

Cybersecurity Coalition Announces CyberNext Brussels 2025

The Cybersecurity Coalition and Cyber Threat Alliance announced CyberNext Brussels 2025, 5 March 2025, which will discuss key European Union, Member State, and transatlantic cybersecurity policy issues.

NCD Coker Reflects on ONCD’s Successes, Lessons Learned, and Future

In a fireside chat hosted by the Foundation for Defense of Democracies, National Cyber Director Harry Coker reflected the success, experiences, and lessons learned at the Office the National Cyber Director.

Biden’s Latest Cyber EO Bolsters Work Underway, Faces Uncertain Future in Trump Administration

The EO on Strengthening and Promoting Innovation in the Nation’s Cybersecurity attempts to cement many of the cybersecurity priorities started in the Biden Administration and move forward other initiatives to stop new and emerging threats.