Vulnerability Disclosure Program (VDP)

The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) has created a Vulnerability Disclosure Program (VDP) that gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems.

What is a VDP?

A VDP is a formalized process to receive, validate, remediate, and communicate vulnerability information identified by security researchers on specific technology systems. VDPs have proven successful in many industries, from the largest tech companies to small governments. They can be an effective and efficient way for an organization to improve its security posture.

Why Consider a VDP?

Many election organizations simply don't have skilled cybersecurity professionals on staff. Even if they do, they don't have the time to probe every system for vulnerabilities. By working with external security researchers, organizations can broaden their vulnerability management efforts and remake them as a continuous process—all while saving time and money. They can also stay on top of new vulnerabilities as they emerge, as well as identify weaknesses that are more difficult to find, thus reducing their overall attack surface.

Getting Started

The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems. 

The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:

  • Which systems or parts of systems researchers are allowed to test.
  • When and how researchers can report a discovered vulnerability.
  • How long researchers have to wait before they can disclose that vulnerability to others.

Email us here to get more information on starting your VDP.

I work for an elections office

The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems. 

The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:

  • Which systems or parts of systems researchers are allowed to test.
  • When and how researchers can report a discovered vulnerability.
  • How long researchers have to wait before they can disclose that vulnerability to others.

Email us here to get more information on starting your VDP.

I am a security researcher

The EI-ISAC Vulnerability Program (VDP) gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems according to each participants' policies as linked below.

Participating researchers agree to keep the vulnerability private for a set period of time to give the organization an opportunity to fix the issue.

In return, researchers get assurances from the election office that, as long as the researcher follows the prescribed policies, no adverse action will be taken against the researcher.

Once the vulnerability has been remediated, the researcher gets notified and is free to take credit for it publicly.

Check out the policies below to get started. If you have questions, email us here before you start your research.

Active VDP Policies

The table below links to each participating election office’s VDP policy. Security researchers must follow each policy carefully, as it specifies which activities are permissible on which systems for an individual election office.

Participating election offices are:

Participating Election Office

Details

Idaho

Office of the Secretary of State
Voteidaho.gov

Vulnerability Disclosure Participant Policy
https://voteidaho.gov/vulnerability-disclosure-policy/

 

VoteIdaho provides voting information for the citizens of Idaho including online services to check your voter registration record, find your polling place and view voter education videos about absentee ballots, voter registration, maintaining the active voter list, ballot tabulation, election certification and more.

 

 

South Carolina Election Commission
SCvotes.gov Vulnerability Disclosure Participant Policy

https://scvotes.gov/vulnerability-disclosure-program

 

 

SCvotes provides voters with online registration, registration updates, sample ballots, information about polling places, absentee ballots and county contact information. SCvotes also provides the latest news in elections, information about upcoming elections, election results and more.

The Voter Registration and Election Management System (VREMS) is the statewide voter registration database. VREMS also supports absentee voting, poll manager tracking, asset management and other voter registration and election functions.

 

Medina County Board of Elections
Medina County, Ohio

https://www.boe.ohio.gov/medina
This website provides voter information, candidate information and election results.

 

Monroe County Board of Elections
Monroe County, Ohio

 

Vulnerability Disclosure Participant Policy
https://www.boe.ohio.gov/monroe/external-resources/

The Monroe County Board of Elections website provides voter information, unofficial election results, and important election updates to the community. The site also provides polling location information and several other items to assist voters.

 

Morgan County Board of Elections

Morgan County, Ohio
Morgan County Board of Elections
This website provides voter information such as polling locations, sample ballots, voter lookup, unofficial and official election results, past election results, elected officials information and other important election related information.
Polk County Clerk’s Office
Polk County, Oregon

Vulnerability Disclosure Participant Policy
https://www.co.polk.or.us/ms/vulnerability-disclosure-policy

 

 

co.polk.or.us is a county website hosting the Clerk’s Department page which includes election information, office hours, polling location information, and other vital voter information. This sites serves as a central location for people to understand when, where, and how to vote in Polk County.

 

 

Preble County Board of Elections
Preble County, Ohio

www.boe/ohio.gov/preble
The Preble County Board of Elections website provides easy information to voters, including registering and deadlines, absentee voting information, tracking of ballots, and polling location information. Also included are election results, elected officials, as well as candidate tools.
Seneca County Board of Elections
Seneca County, Ohio

https://www.boe.ohio.gov/seneca/c/pdf/SenecaCoVDP.pdf
The Seneca County Board of Elections website serves as  a central location to provide election and voting information to the public.  Information includes but not limited to:  voter registration look-up, polling location look-up, election results, sample ballots, campaign finance look-up, elected officials, and candidate information.
Trunbull County Board of Elections
Trunbull County, Ohio

https://boe.co.trumbull.oh.gov/pdfs/Trumbull Board of Elections VDP policy.pdf

The Trumbull County Board of Elections website lets you check out everything election related from results, polling places, poll workers, and more.

 

Wayne County Board of Elections
Wayne County, Ohio

Home

This website is used for general election information and posting of election results.

 

 

Other VDP Participants

The table below links to election offices participating in other vulnerability disclosure programs. Security researchers must follow each participant policy carefully, as it specifies which activities are permissible on which systems for an individual election office. The policy also provides instructions for reporting vulnerabilities. DO NOT REPORT vulnerabilities to the EI-ISAC for Other VDP Participants.

Participating Election Office

Details

Iowa Secretary of State

Vulnerability Disclosure Program
https://sos.iowa.gov/VulnerabilityDisclosureProgram.html

 

 

 

 

 

 

 

 

 

 

The Office of Iowa Secretary of State takes the security of our systems seriously. We value the security research community and believe by working together we can help ensure the security and privacy of our users, our systems, and our data. We want security researchers to feel comfortable reporting vulnerabilities they've discovered, as set out in this policy, so that we can fix them and keep the public’s information safe. This policy describes the systems and types of research are covered under this policy, how to report vulnerabilities to us, what we ask of researchers, and what researchers can expect from us.

This policy applies to the following systems: 

Iowa Secretary of State - Paul D. Pate - filings.sos.iowa.gov (which is synonymous with filing.sos.iowa.gov, filings.iowa.gov, filing.iowa.gov)

Iowa Safe At Home: http://safeathome.iowa.gov/

Data API - Iowa Secretary of State: http://api.sos.iowa.gov/

 

The table below links to supporting members/election technology vendors participating in other vulnerability disclosure programs. Security researchers must follow each participant policy carefully, as it specifies which activities are permissible on which systems for a participant. The policy also provides instructions for reporting vulnerabilities. DO NOT REPORT vulnerabilities to the EI-ISAC for Other VDP Participants.

 

Participating Election Technology Supporting Member

Details

Election Systems and Software (ES&S)

https://www.essvote.com/storage/2020/08/ESS_vulnerability_disclosure_policy.pdf

Election Systems & Software (ES&S) has been a trusted supplier since 1979, helping election officials run successful and secure elections. Today, our products and solutions continue to capture accurate voter intent, reduce waste, improve accessibility and protect elections from outside threats.

 Hart Intercivic

https://www.hartintercivic.com/wp-content/uploads/2021/01/HartVulnerabilityDisclosurePolicy_82020.pdf

 

 Hart has been working side-by-side with election professionals for more than 100 years. We are committed to advancing the partnership between people and their government through transformative technology. Hart’s mission fuels our passionate customer focus and a continuous drive for technological innovation.