Vulnerability Disclosure Program (VDP)
The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) has created a Vulnerability Disclosure Program (VDP) that gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems.
What is a VDP?
A VDP is a formalized process to receive, validate, remediate, and communicate vulnerability information identified by security researchers on specific technology systems. VDPs have proven successful in many industries, from the largest tech companies to small governments. They can be an effective and efficient way for an organization to improve its security posture.
Why Consider a VDP?
Many election organizations simply don't have skilled cybersecurity professionals on staff. Even if they do, they don't have the time to probe every system for vulnerabilities. By working with external security researchers, organizations can broaden their vulnerability management efforts and remake them as a continuous process—all while saving time and money. They can also stay on top of new vulnerabilities as they emerge, as well as identify weaknesses that are more difficult to find, thus reducing their overall attack surface.
Getting Started
The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems.
The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:
- Which systems or parts of systems researchers are allowed to test.
- When and how researchers can report a discovered vulnerability.
- How long researchers have to wait before they can disclose that vulnerability to others.
Email us here to get more information on starting your VDP.
The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems.
The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:
- Which systems or parts of systems researchers are allowed to test.
- When and how researchers can report a discovered vulnerability.
- How long researchers have to wait before they can disclose that vulnerability to others.
Email us here to get more information on starting your VDP.
The EI-ISAC Vulnerability Program (VDP) gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems according to each participants' policies as linked below.
Participating researchers agree to keep the vulnerability private for a set period of time to give the organization an opportunity to fix the issue.
In return, researchers get assurances from the election office that, as long as the researcher follows the prescribed policies, no adverse action will be taken against the researcher.
Once the vulnerability has been remediated, the researcher gets notified and is free to take credit for it publicly.
Check out the policies below to get started. If you have questions, email us here before you start your research.
Active VDP Policies
The table below links to each participating election office’s VDP policy. Security researchers must follow each policy carefully, as it specifies which activities are permissible on which systems for an individual election office.
Participating election offices are:
|
Participating Election Office |
Details |
| Idaho
Office of the Secretary of State Vulnerability Disclosure Participant Policy
|
VoteIdaho provides voting information for the citizens of Idaho including online services to check your voter registration record, find your polling place and view voter education videos about absentee ballots, voter registration, maintaining the active voter list, ballot tabulation, election certification and more.
|
|
South Carolina Election Commission Vulnerability Disclosure Participant Policy
|
SCvotes provides voters with online registration, registration updates, sample ballots, information about polling places, absentee ballots and county contact information. SCvotes also provides the latest news in elections, information about upcoming elections, election results and more.
|
|
Monroe County Board of Elections Vulnerability Disclosure Participant Policy |
The Monroe County Board of Elections website provides voter information, unofficial election results, and important election updates to the community. The site also provides polling location information and several other items to assist voters.
|
| Morgan County Board of Elections Morgan County, Ohio Morgan County Board of Elections |
This website provides voter information such as polling locations, sample ballots, voter lookup, unofficial and official election results, past election results, elected officials information and other important election related information. |
|
Polk County Clerk’s Office
|
co.polk.or.us is a county website hosting the Clerk’s Department page which includes election information, office hours, polling location information, and other vital voter information. This sites serves as a central location for people to understand when, where, and how to vote in Polk County. |
| Seneca County Board of Elections Seneca County, Ohio www.boe.ohio.gov/seneca |
The Seneca County Board of Elections website serves as a central location to provide election and voting information to the public. Information includes but not limited to: voter registration look-up, polling location look-up, election results, sample ballots, campaign finance look-up, elected officials, and candidate information. |
Other VDP Participants
The table below links to election offices participating in other vulnerability disclosure programs. Security researchers must follow each participant policy carefully, as it specifies which activities are permissible on which systems for an individual election office. The policy also provides instructions for reporting vulnerabilities. DO NOT REPORT vulnerabilities to the EI-ISAC for Other VDP Participants.
|
Participating Election Office |
Details |
|
Iowa Secretary of State Vulnerability Disclosure Program
|
The Office of Iowa Secretary of State takes the security of our systems seriously. We value the security research community and believe by working together we can help ensure the security and privacy of our users, our systems, and our data. We want security researchers to feel comfortable reporting vulnerabilities they've discovered, as set out in this policy, so that we can fix them and keep the public’s information safe. This policy describes the systems and types of research are covered under this policy, how to report vulnerabilities to us, what we ask of researchers, and what researchers can expect from us. This policy applies to the following systems: Iowa Secretary of State - Paul D. Pate - filings.sos.iowa.gov (which is synonymous with filing.sos.iowa.gov, filings.iowa.gov, filing.iowa.gov) Iowa Safe At Home: http://safeathome.iowa.gov/ Data API - Iowa Secretary of State: http://api.sos.iowa.gov/ |