Binding Operational Directive 20-01 requires most federal civilian executive branch (FCEB) agencies to have vulnerability disclosure policies (VDP). This repository gives the location of these agencies' VDPs; it does not necessarily mean a given VDP is in alignment with BOD 20-01. Review an agency's policy for information about current scope and submission location.
Though the Department of Defense is not subject to BOD 20-01, DoD does have a VDP at https://hackerone.com/deptofdefense.
(Note that the URL under VDP link
is generally the one required by BOD 20-01 and may redirect.)