Vulnerability Disclosure Program (VDP)

The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) has created a Vulnerability Disclosure Program (VDP) that gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems.

What is a VDP?

A VDP is a formalized process to receive, validate, remediate, and communicate vulnerability information identified by security researchers on specific technology systems. VDPs have proven successful in many industries, from the largest tech companies to small governments. They can be an effective and efficient way for an organization to improve its security posture.

Why Consider a VDP?

Many election organizations simply don't have skilled cybersecurity professionals on staff. Even if they do, they don't have the time to probe every system for vulnerabilities. By working with external security researchers, organizations can broaden their vulnerability management efforts and remake them as a continuous process—all while saving time and money. They can also stay on top of new vulnerabilities as they emerge, as well as identify weaknesses that are more difficult to find, thus reducing their overall attack surface.

Getting Started

The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems. 

The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:

  • Which systems or parts of systems researchers are allowed to test.
  • When and how researchers can report a discovered vulnerability.
  • How long researchers have to wait before they can disclose that vulnerability to others.

Email us here to get more information on starting your VDP.

I work for an elections office

The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems. 

The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:

  • Which systems or parts of systems researchers are allowed to test.
  • When and how researchers can report a discovered vulnerability.
  • How long researchers have to wait before they can disclose that vulnerability to others.

Email us here to get more information on starting your VDP.

I am a security researcher

The EI-ISAC Vulnerability Program (VDP) gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems according to each participants' policies as linked below.

Participating researchers agree to keep the vulnerability private for a set period of time to give the organization an opportunity to fix the issue.

In return, researchers get assurances from the election office that, as long as the researcher follows the prescribed policies, no adverse action will be taken against the researcher.

Once the vulnerability has been remediated, the researcher gets notified and is free to take credit for it publicly.

Check out the policies below to get started. If you have questions, email us here before you start your research.

Active VDP Policies

The table below links to each participating election office’s VDP policy. Security researchers must follow each policy carefully, as it specifies which activities are permissible on which systems for an individual election office.

Participating election offices are:

Participating State

Details

South Carolina Election Commission
SCvotes.gov

VDP Policy
https://scvotes.gov/vulnerability-disclosure-program

 

SCvotes provides voters with online registration, registration updates, sample ballots, information about polling places, absentee ballots and county contact information. SCvotes also provides the latest news in elections, information about upcoming elections, election results and more.