Vulnerability Disclosure Program (VDP)
The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) has created a Vulnerability Disclosure Program (VDP) that gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems.
What is a VDP?
A VDP is a formalized process to receive, validate, remediate, and communicate vulnerability information identified by security researchers on specific technology systems. VDPs have proven successful in many industries, from the largest tech companies to small governments. They can be an effective and efficient way for an organization to improve its security posture.
Why Consider a VDP?
Many election organizations simply don't have skilled cybersecurity professionals on staff. Even if they do, they don't have the time to probe every system for vulnerabilities. By working with external security researchers, organizations can broaden their vulnerability management efforts and remake them as a continuous process—all while saving time and money. They can also stay on top of new vulnerabilities as they emerge, as well as identify weaknesses that are more difficult to find, thus reducing their overall attack surface.
Getting Started
The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems.
The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:
- Which systems or parts of systems researchers are allowed to test.
- When and how researchers can report a discovered vulnerability.
- How long researchers have to wait before they can disclose that vulnerability to others.
Email us here to get more information on starting your VDP.
The EI-ISAC VDP allows election offices to leverage the wide-ranging talent of security researchers to improve the security of their systems.
The basics of a VDP involve letting researchers know about an organization's VDP policy. This includes specifying the following parameters:
- Which systems or parts of systems researchers are allowed to test.
- When and how researchers can report a discovered vulnerability.
- How long researchers have to wait before they can disclose that vulnerability to others.
Email us here to get more information on starting your VDP.
The EI-ISAC Vulnerability Program (VDP) gives permission for security researchers to ethically find and report vulnerabilities in an election office’s systems according to each participants' policies as linked below.
Participating researchers agree to keep the vulnerability private for a set period of time to give the organization an opportunity to fix the issue.
In return, researchers get assurances from the election office that, as long as the researcher follows the prescribed policies, no adverse action will be taken against the researcher.
Once the vulnerability has been remediated, the researcher gets notified and is free to take credit for it publicly.
Check out the policies below to get started. If you have questions, email us here before you start your research.
Active VDP Policies
The table below links to each participating election office’s VDP policy. Security researchers must follow each policy carefully, as it specifies which activities are permissible on which systems for an individual election office.
Participating election offices are:
Participating Election Office |
Details |
Idaho
Office of the Secretary of State Vulnerability Disclosure Participant Policy
|
VoteIdaho provides voting information for the citizens of Idaho including online services to check your voter registration record, find your polling place and view voter education videos about absentee ballots, voter registration, maintaining the active voter list, ballot tabulation, election certification and more.
|
South Carolina Election Commission Vulnerability Disclosure Participant Policy
|
SCvotes provides voters with online registration, registration updates, sample ballots, information about polling places, absentee ballots and county contact information. SCvotes also provides the latest news in elections, information about upcoming elections, election results and more. The Voter Registration and Election Management System (VREMS) is the statewide voter registration database. VREMS also supports absentee voting, poll manager tracking, asset management and other voter registration and election functions.
|
Cuyahoga County Board of Elections Vulnerability Disclosure Participant Policy
|
The Cuyahoga County Board of Elections website serves as a comprehensive resource for voters, candidates, and election officials in Cuyahoga County, Ohio. The site offers essential information on voter registration, polling locations, election results, and upcoming elections. Visitors can find details on how to vote by mail or in person, view sample ballots, and track absentee ballots. The website also provides resources for candidates, including filing deadlines and campaign finance information, as well as educational materials to promote voter engagement and participation.
|
Guernsey County Board of Elections Guernsey County, Ohio https://boe.guernseycounty.gov/notices/guernsey-county-board-of-elections-vulnerability-disclosure-policy-7-31-2024/ |
This website provides voter information and official and unofficial election results. |
Medina County Board of Elections Medina County, Ohio https://www.boe.ohio.gov/medina |
This website provides voter information, candidate information and election results.
|
Monroe County Board of Elections
Vulnerability Disclosure Participant Policy |
The Monroe County Board of Elections website provides voter information, unofficial election results, and important election updates to the community. The site also provides polling location information and several other items to assist voters.
|
Morgan County Board of Elections Morgan County, Ohio Morgan County Board of Elections |
This website provides voter information such as polling locations, sample ballots, voter lookup, unofficial and official election results, past election results, elected officials information and other important election related information. |
Polk County Clerk’s Office Polk County, Oregon Vulnerability Disclosure Participant Policy https://www.co.polk.or.us/ms/vulnerability-disclosure-policy
|
co.polk.or.us is a county website hosting the Clerk’s Department page which includes election information, office hours, polling location information, and other vital voter information. This sites serves as a central location for people to understand when, where, and how to vote in Polk County.
|
Preble County Board of Elections Preble County, Ohio https://www.boe.ohio.gov/preble |
The Preble County Board of Elections website provides easy information to voters, including registering and deadlines, absentee voting information, tracking of ballots, and polling location information. Also included are election results, elected officials, as well as candidate tools. |
Seneca County Board of Elections Seneca County, Ohio https://www.boe.ohio.gov/seneca/c/pdf/SenecaCoVDP.pdf |
The Seneca County Board of Elections website serves as a central location to provide election and voting information to the public. Information includes but not limited to: voter registration look-up, polling location look-up, election results, sample ballots, campaign finance look-up, elected officials, and candidate information. |
Trunbull County Board of Elections Trunbull County, Ohio https://boe.co.trumbull.oh.gov/pdfs/Trumbull Board of Elections VDP policy.pdf |
The Trumbull County Board of Elections website lets you check out everything election related from results, polling places, poll workers, and more.
|
Wayne County Board of Elections |
This website is used for general election information and posting of election results.
|
Other VDP Participants
The table below links to election offices participating in other vulnerability disclosure programs. Security researchers must follow each participant policy carefully, as it specifies which activities are permissible on which systems for an individual election office. The policy also provides instructions for reporting vulnerabilities. DO NOT REPORT vulnerabilities to the EI-ISAC for Other VDP Participants.
Participating Election Office |
Details |
Iowa Secretary of State Vulnerability Disclosure Program
|
The Office of Iowa Secretary of State takes the security of our systems seriously. We value the security research community and believe by working together we can help ensure the security and privacy of our users, our systems, and our data. We want security researchers to feel comfortable reporting vulnerabilities they've discovered, as set out in this policy, so that we can fix them and keep the public’s information safe. This policy describes the systems and types of research are covered under this policy, how to report vulnerabilities to us, what we ask of researchers, and what researchers can expect from us. This policy applies to the following systems: Iowa Secretary of State - Paul D. Pate - filings.sos.iowa.gov (which is synonymous with filing.sos.iowa.gov, filings.iowa.gov, filing.iowa.gov) Iowa Safe At Home: http://safeathome.iowa.gov/ Data API - Iowa Secretary of State: http://api.sos.iowa.gov/ |
Minnesota Secretary of State Vulnerability Disclosure Program
|
The Office of the Minnesota Secretary of State believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between the Office and Security Researchers. Together, our partnership promotes the continued security and privacy of the Office of the Minnesota Secretary of State's users, systems, and data. The Office of the Minnesota Secretary of State's website and web tools provide information and services in a variety of areas including elections and voting, business and lien filings, notary registration, apostille verification, boards and commissions applications, a repository of official state documents, and an address confidentiality program. Please see the VDP page for the latest list of sites that are included in the program's scope. |
Defiance County Board of of Elections Defiance County, Ohio Vulnerability Disclosure Program https://www.boe.ohio.gov/defiance/ |
This website provides voter information and official and unofficial election results. |
The table below links to supporting members/election technology vendors participating in other vulnerability disclosure programs. Security researchers must follow each participant policy carefully, as it specifies which activities are permissible on which systems for a participant. The policy also provides instructions for reporting vulnerabilities. DO NOT REPORT vulnerabilities to the EI-ISAC for Other VDP Participants.
Participating Election Technology Supporting Member |
Details |
Election Systems and Software (ES&S) |
Election Systems & Software (ES&S) has been a trusted supplier since 1979, helping election officials run successful and secure elections. Today, our products and solutions continue to capture accurate voter intent, reduce waste, improve accessibility and protect elections from outside threats. |
Hart Intercivic
|
Hart has been working side-by-side with election professionals for more than 100 years. We are committed to advancing the partnership between people and their government through transformative technology. Hart’s mission fuels our passionate customer focus and a continuous drive for technological innovation. |