Coordinated Vulnerability Disclosure

A brief look at the role of coordinated vulnerability disclosure for the election technology industry.

This explainer was last updated on June 28, 2024.

What is a Coordinated Vulnerability Disclosure Program?

A Coordinated Vulnerability Disclosure (CVD) program is a structured process for external ethical security researchers to responsibly report potential vulnerabilities in an organization’s technologies, systems, or other products or assets. CVD programs are common in many industries – companies using CVD programs include Microsoft, Amazon, and Facebook - and allow those industries to address security vulnerability before they can be exploited by unethical actors. A number of CVD programs exist in the election technology sector, but the practice is not universal. The MIT Election Data and Science Lab has written this short explainer to help educate the public about this issue, and to encourage a broader discussion throughout the election community about this important topic.

A CVD program can help create predictable processes and expectations for ethical security researchers, technology providers, and the public. The overarching protocol generally specifies three actions:

Researchers report their findings directly to the technology provider;
The technology provider accepts the responsibility of reviewing and validating the findings, and determining whether (in light of operational environments and controls) those findings constitute a vulnerability; and
Where a vulnerability exists, working within a reasonable timeline to identify mitigations, provide the mitigations, and notify the public that vulnerabilities have been identified and that mitigations are available.

Why are CVD Programs Important for Election Technology Providers?

Election technology providers - and not just producers of voting machines but other kinds of technology as well such as electronic poll books - occupy a particularly sensitive role in modern democracies and must address risks their systems face. One approach to addressing these risks is implementing a CVD program. It can provide a proactive and structured avenue for external ethical security researchers to report potential vulnerabilities in the election infrastructure. This can not only ensure timely mitigation of risks but can also demonstrate to the public and relevant authorities that the provider is committed to election security.

By fostering an open line of communication between researchers and technology providers such as election technology providers, CVD programs can help address vulnerabilities are addressed in a timely and controlled manner, minimizing potential harm to end-users. Additionally, they can empower industries to leverage the collective expertise of the global security community. and allow them to leverage the global marketplace of ethical security researchers without passing the cost of that on to customers.

Considerations When Building Out a CVD Program Involving Election Technology Providers

Coordination: All relevant parties need to be involved. But who are these parties? Minimally, certifying agencies, reporting entities, ethical security researchers, policymakers, technical staff, and communications professionals should be a part of the conversation.
Clear Scope: What will and will not be included in a CVD program should be established at the outset. The scope should clearly specify the process and the timing for testing technology, and exactly what is included in the policy. For example, a provider may structure intensive testing primarily during a pre-market phase, with annual review during product lifecycles; others may solicit ongoing review using a Bug Bounty approach.
Testing Environment: As many election technologies are not open source, coordination between stakeholders is key to providing a safe and reliable physical and technical environment for researchers to conduct ethical research.
Technology Provider/Researcher Communication Loop: Agreed-upon mechanisms should be developed to report possible vulnerabilities and providers should consider accepting general feedback on the CVD program process itself.
Protection for Ethical Security Researchers: Researchers need to know they will be protected when they report vulnerabilities. When establishing a CVD program, legal protections for ethical security researchers should be included in the policy to ensure they are not deterred by the fear of legal ramifications.
Federal and State Laws and Requirements: For technology that requires either federal or state certification, this must be taken into account in the development of the CVD program. Certification or implementation timelines could, for example, impact a provider’s willingness to accept vulnerabilities within a certain timeframe.
Timing: Technology providers should consider three areas that impact timing: development work to address the potential vulnerability; certification requirements; and time needed for any necessary deployment to their customer.
The Critical Role of States and Jurisdictions in Effective CVD Programs: Ensuring jurisdictions are kept informed about any vulnerabilities and mitigations in their systems is essential. This includes thinking about what guidance should be included to swiftly implement mitigations within the confines of state law without disrupting ongoing electoral processes.
Public Disclosure Protocol: Because of the public interest in election security, it is important that a standardized process for public disclosure of vulnerabilities and their resolution be developed at the outset.
Stakeholder Engagement: It is critical for technology providers to educate and inform state and local election officials, technology providers, and other stakeholders about their CVD program. This could include organizing workshops and training sessions for technology providers, election officials, and other stakeholders including the public to ensure they understand how an organization implements its CVD process. In addition, increasing the transparency of the entire CVD process from start to finish can vastly improve the public’s opinion and trust of a CVD program. This could include demonstrations open to the public, or other information campaigns.