The nation’s top voting equipment vendors reportedly are issuing a request for information (RFI) this week on building a vulnerability disclosure program (VDP) to bolster election security.
Noting vulnerability disclosure is critical to finding and fixing software bugs, Casey Ellis, CTO and founder of Bugcrowd, said, “In a climate where most voters share the concern about cyber-interference with the election process, but very few know what that actually means, a clear and decisive move toward transparency by the vendors addresses the bigger vulnerability that’s in play here: Confidence in the democratic process itself.”
"On Election Day, every voter must have confidence in the vote – “and it’s good to see this priority informing decisions being made by the vendors,” said Ellis. “My strong recommendation to election software vendors is to adopt a public vulnerability disclosure program (VDP), and not just engage a vetted group of individuals to find these issues.”
But voting machines are not the only points of vulnerability to attack, every tool that house data – from websites to databases – used by voters, election officials, candidates and volunteers, are vulnerable and attractive to potential attackers, he said.
“We know Russian adversaries successfully influenced the 2016 presidential election and they didn’t need access to voting machines to change the outcome of the vote,” said Ellis. “The good news is securing these assets with VDP is achievable ahead of the 2020 election if we act quickly.”