Election Security Spotlight – What Is A Vulnerability Disclosure Program?

A Vulnerability Disclosure Program (VDP) is a way for an organization to enable outside researchers to test its systems and report vulnerabilities in software or hardware. This allows an organization to develop a mitigation plan or patch the vulnerability before it is exploited by malicious actors.

VDPs, also referred to as “Coordinated Vulnerability Disclosure” (CVD) programs, are policies that cover how to report vulnerabilities, limitations on testing, and a timeline for the organization to address a reported vulnerability. These policies also include “safe harbor” language to protect researchers that follow the policies from legal liability related to their activities. VDPs are collaborative, with researchers identifying weaknesses and potential solutions that can be implemented, and organizations communicating back on their remediation actions.

Why it matters

  • All complex systems have vulnerabilities. While some may go undetected or be patched by a software producer or system manager, others will be discovered by entities outside the organization. It is better to have a researcher privately report a vulnerability to you than to find out about it after a malicious actor has exploited it.
  • VDPs increase the likelihood that vulnerabilities will be detected and addressed before a malicious actor can compromise a system.
    • The range of skills and interests among security researchers can lead to more comprehensive testing than most organizations have available, or can afford.
    • VDPs combine with vulnerability scanning, penetration testing, and other aspects of a cybersecurity program as another tool in your layered defense model.
  • VDPs allow you to tap into a community of security researchers, ranging from students learning about cybersecurity, to those conducting research for a living, and respected cybersecurity and IT professionals.
    • On the whole, these researchers are professionals. They are not trying to embarrass organizations; they want to help ensure that the systems users access everyday are secure. Some VDPs pay researchers, though often the researchers simply want professional recognition for their work once a vulnerability has been patched.
  • VDPs are used by many of the most prominent private and public sector organizations. They are a way to engage with the security community to strengthen your organization and demonstrate your commitment to securing election systems.

What you can do

  • Before committing to a VDP, ensure that your IT department can support the program, is already effectively maintaining basic cyber hygiene, such as timely patch management, and is able to consistently respond to newly discovered vulnerabilities.
  • As an election administrator, work with your IT department to set up limitations on the program, including what systems will and will not be included (i.e., specifying which websites should be included, and which should be off-limits).
    • Over time, as you are comfortable, increase the scope to allow all internet-accessible systems to be testable.
  • Review CISA’s Binding Operational Directive 20-01, Guide to Vulnerability Reporting for America’s Election Administrators, and existing state VDPs, including Ohio and Iowa, for guidance and policy templates.
  • Communication is critical to the success of a VDP. Regular communication on the actions being taken in response to a report, and the ultimate resolution, are critical to maintaining positive relationships with researchers. This will keep researchers and their colleagues engaged and interested in identifying vulnerabilities for your organization.
  • Discuss with your vendors how they address vulnerabilities reported by outside researchers.
    • Consider the implementation of VDP as a requirement in contracts, whether through participation in your program or establishment of their own.
  • The EI-ISAC is currently developing a pilot program to partner with state and local election offices to receive vulnerabilities from, and facilitate communications with, security researchers. If you are interested in being a part of the pilot program, please reach out to [email protected].