A Republican congresswoman wants companies with big federal contracts to 

encourage hackers to probe their corporate cyber defenses, hopefully shining a light on their vulnerabilities before someone else exploits them.

Rep. Nancy Mace (R-S.C.) on Thursday introduced legislation that would require firms with federal contracts of $250,000 or more to create so-called vulnerability disclosure programs , which allow anyone to poke around for bugs in certain public-facing computer systems and privately report them to the systems’ owners.

Mandating the use of these programs will “ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” Mace said in a statement. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information.”

Mace’s Federal Cybersecurity Vulnerability Reduction Act is aimed at closing a critical gap in the government’s cyber defenses. Many federal agencies have been hacked through intrusions that begin on contractors’ networks. These break-ins are called supply-chain attacks, because they exploit weaknesses in the supply chains connecting agencies with contracted services like IT and human resources. The Russian government perpetrated one such attack in 2020 that compromised nine federal agencies, along with 100 private companies.

Federal agencies themselves are already required to operate vulnerability disclosure programs, and several agencies, including the Department of Defense and the Department of Homeland Security, have paired these reporting mechanisms with “bug bounty programs” offering rewards to people who find serious flaws.

The legislation pairs neatly with the Biden administration’s recent efforts to hold contractors to higher cybersecurity standards. New regulations will add cybersecurity requirements to all federal contracts; software providers will face special requirements; and the Justice Department will prosecute companies that falsely claim to meet security standards.

Some federal contractors—particularly the biggest ones—likely already operate disclosure programs, but many others don’t. If Mace’s legislation becomes law, it could introduce a large number of companies to the concept of these programs for the first time.

One of the staunchest supporters of the new legislation is HackerOne, which sells a service to manage vulnerability disclosure programs. “When federal contractors can effectively address security vulnerabilities, every U.S. citizen will be better protected against cyberattacks,” HackerOne CEO Marten Mickos said in a statement.