Iowa launches vulnerability disclosure program for election websites
Iowa has created a vulnerability disclosure program (VDP) for its election-related websites.
Partnering with Bugcrowd, Iowa is inviting security researchers to test five websites of the Office of Iowa Secretary of State. So far, more than 50 researchers have participated in the program, officials said.
“We already have a strong infrastructure in place, but election cybersecurity is a race without a finish line,” Secretary of State Paul Pate said in a statement. “We are bolstering our cyber maturity by allowing responsible testing and reporting of our systems to the private sector.”
VDPs are recommended by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. The Office of Management and Budget and CISA recently issued guidance to federal agencies on how to set up vulnerability research and disclosure programs. Instructions on how election administrators can set up their own VDPs are available on CISA’s website.
Iowa is the second state to have instituted a VDP. In August, Ohio’s Secretary of State, Frank LaRose announced a program with HackerOne to cover the state’s election-related websites.
Election Systems & Software, the biggest vendor of U.S. voting equipment, announced its own VDP in August covering the company’s corporate IT networks and public facing websites. It does not cover the voting machines and warns that “this policy does not give authorization to test state and local government election related networks or assets.”
“Our latest partnership with Bugcrowd is yet another proactive measure we are taking to ensure our elections are cyber secure,” said Jeff Franklin, chief cybersecurity officer for the Secretary of State’s Office. “We look forward to actively engaging the private security researcher community so we can strengthen our systems and ensure Iowa continues to be a leader in elections and cybersecurity.”
Connect with the GCN staff on Twitter @GCNtech.