AMY KLOBUCHAR

MINNESOTA
COMMITTEES: 
0%tatrs Smart
COMMERCE, SCIENCE, WASHINGTON, DC 20510

AND TRANSPORTATION
JOINT ECONOMIC 
JUDICIARY
RULES AND ADMINISTRATION

October 22, 2019

Scott Algeier

Executive Director

IT-ISAC Elections Industry Special Interest Group
9401 Centreville Road, Suite 104 Manassas, VA 20110

Re: Request for Information on a Crowd-sourced Coordinated Vulnerability Disclosure Program

Thank you for the opportunity to provide feedback on creating a vulnerability disclosure
program for voting systems in the United States. As you know, election security is national
security, and so it is vital that we make use of widely used cybersecurity best practices and
welcome independent good-faith security review of our nation?s election systems.

Creating a vulnerability disclosure program for US. voting systems could be a signi?cant step
forward for election security. However, to be successful it is important that any such program
follow best practices that have worked well in other industries. Below are 3 key principles that I
believe are fundamental to creating an effective vulnerability program.

1. To be effective, a vulnerability disclosure program for voting systems must provide
clear legal authorization for good?faith security research by the general public.

The success of any vulnerability program depends on actually receiving reports. The 
accompanying whitepaper on CVD pro grams1 describes a program that potentially limits
participation to vetted researchers, which would be detrimental to the effectiveness of the
program.

Allowing participation from the general public does not require voting system manufacturers to
make machines physically available to anyone who asks. Opening the program to the public
means that the program should be capable and interested in accepting private vulnerability
reports from good-faith actors, whether they used machines provided by the manufacturer or not,
without the fear of legal retaliation. For example, the Department of Defense (DOD) provides
authorization to the general public to research vulnerabilities on any websites.2

 

1 ?Coordinated Vulnerability Disclosure Program White Paper?, Elections Industry?Special Interest Group 2019.

2 Vulnerability Disclosure Policy?. 



In its associated Request for Information the asked ?How to ensure that those
engaging in a crowd?sourced VD program are not nefarious actors seeking sensitive
information that can then be used in attacks against the elections? in??astructure? 

Limiting participation on the basis of preventing unvetted people from gaining information
would necessarily require placing restrictions on participating researchers (such as non?
disclosure agreements) that would deter many security experts from participating. This may also
re?ect um?ealistic expectations on the part of voting system manufacturers on how 
information about voting systems used in public elections can reasonably be managed. As in any
industry, from a security perspective, it is prudent to assume that the workings of your software
and hardware are public knowledge, and to design security controls under that assumption.

Coordinated vulnerability disclosure programs in many sensitive industries allow the general
public to safely submit vulnerability reports, even those that make embedded systems or systems
not designed to be connected to the internet. For example, medical device manufacturers, car
manufacturers, and other companies maintain vulnerability disclosure programs that are
generally open to the public,4 including PhilipsS, Drager6, and General Motors7. 7

2. To be realistic, a vulnerability disclosure program for voting systems must expect
that external security research is always happening and channel that research into
effective disclosure.

Successful vulnerability disclosure programs in industry and in government are designed with
the knowledge that the public will always be looking for security issues in their systems, and to
incentivize those with good intentions to privately report any issues so they can be 
?xed before being made public.

In its associated RF 1, the asked ?How best to ensure the con?dentiality of the
researcher ?ndings so that vulnerability announcements are disclosed simultaneously with a ?x
or mitigation for the vulnerability? 

A primary goal of any vulnerability disclosure program is avoiding public disclosure of a
vulnerability before a fix or mitigation is available, and experience suggests that security experts
who participate in these programs share this goal. However, ensuring that exploitable
vulnerabilities are fixed before they can be used to harm the public is ultimately a more
imp01tant public security goal, and it is not reasonable to attempt to inde?nitely restrict public
disclosure.

 

3 EI-SIG Request for Information?. 

4 Coordinated vulnerability disclosure resources. Am The Cavalry?. 
programs/

5 ?Philips coordinated vulnerability disclosure statement? 
disclosurehtml

6 ?Drager Coordinated Disclosure Statement" 

7 ?General Motors, Vulnerability Disclosure Program? 

2

Many successful vulnerability disclosure programs acknowledge this tension by asking the
security expert to agree to a time-limited window for the company to address any reported
vulnerability before the security expert makes their report public. For example, the General
Services Administration asks for 90 days to patch their systemsS, while Dr?iger strongly
encourages coordinated disclosure without attempting to legally require it9.

State requirements that voting systems be formally certi?ed can delay the deployment of ?xes.
At the same time, Election Day cannot be postponed, increasing the pressure to deploy ?xes in a
timely manner. These competing pressures are serious, and it may be reasonable to establish
expectations around public disclosure that are tailored to elections. However, even if challenges
like certi?cation delays remain an issue, voting systems manufacturers must work out
reasonable, time-limited, and researcher?friendly terms for disclosure.

Ultimately, for a vulnerability disclosure program for voting systems to be the most effective at
convincing security experts to contact voting systems manufacturers, it should grant clear legal
authorization for good-faith security research, without requiring security experts to agree to
permanent con?dentiality agreements.

3. To be complete, a vulnerability disclosure program for voting systems must include
their manufacturers? own websites and corporate information systems.

The safety of any voting system also depends on the security of the systems that are used to
design and develop that system. At minimum, any company that makes software or ?rmware
must make sure that its source code is not changed by malicious actors. This is even more
important for makers of proprietary software, since changes to proprietary source code are not
publicly auditable.

In its associated RFI, the asked ?How to manage a crowd-sourced VD program on
systems that are designed to be closed, isolated, and disconnected from the Internet including
stand-alone embedded systems? 

Even stand-alone embedded systems that may be disconnected from the internet rely on their
supply chain remaining intact. If a member of the public ?nds a vulnerability on a public website
run by a voting system manufacturer, this could have unexpected rami?cations, particularly if
that website is hosted on a server inside a trusted environment. Even seemingly small
vulnerabilities, such as defacement, could be used by attackers as part of a campaign to phish
staff and compromise an organization.

Voting system manufacturers should acknowledge this by welcoming vulnerability reports that
apply to all of their internet-accessible IT systems, including systems not intentionally made
internet-accessible.

 

8 ?Vulnerability disclosure policy?. 18f.gsa. 
9 ?Drager Coordinated Disclosure Statement?. 

3

In summary, I recommend that any vulnerability disclosure program created by voting system
manufacturers:

0 Provide clear rep01ting channels and legal authorization for good-faith security research
by the general public.

0 Establish reasonable, time-limited, and researcher-friendly expectations around public
disclosure.

0 Apply to any internet-accessible system operated by the voting system manufacturer, not
only the voting systems themselves.

Thank you again for the opportunity to provide feedback on this initiative.



United States enator