Senate Bill 283 Summary

• Establishes a vulnerability coordination policy in Delaware Code Chapter 90C requiring software vendors to publicly publish procedures for receiving security vulnerability reports from researchers.

• Requires vendors to enumerate their products and scope, list prohibited testing methods (such as denial of service attacks and destructive actions), and respond to vulnerability reports within two business days.

• Provides legal immunity to security researchers who discover vulnerabilities in state software, provided they follow the policy terms and do not conduct prohibited testing methods.

• Obligates security researchers to cooperate with vendors until disclosure, refrain from early public disclosure, and avoid extortion or sale of reported vulnerabilities.

• Establishes a 90-day deadline for public disclosure of vulnerabilities, allowing disclosure only after a patch is released or 90 days have elapsed without a patch.