bug bounty

Iowa launches vulnerability disclosure program for election websites

Iowa has created a vulnerability disclosure program (VDP) for its election-related websites.

Partnering with Bugcrowd, Iowa is inviting security researchers to test five websites of the Office of Iowa Secretary of State. So far, more than 50 researchers have participated in the program, officials said.

“We already have a strong infrastructure in place, but election cybersecurity is a race without a finish line,” Secretary of State Paul Pate said in a statement. “We are bolstering our cyber maturity by allowing responsible testing and reporting of our systems to the private sector.”

VDPs are recommended by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. The Office of Management and Budget and CISA recently issued guidance to federal agencies on how to set up vulnerability research and disclosure programs. Instructions on how election administrators can set up their own VDPs are available on CISA’s website.

Iowa is the second state to have instituted a VDP. In August, Ohio’s Secretary of State, Frank LaRose announced a program with HackerOne to cover the state’s election-related websites.

Election Systems & Software, the biggest vendor of U.S. voting equipment, announced its own VDP in August covering the company’s corporate IT networks and public facing websites. It does not cover the voting machines and warns that “this policy does not give authorization to test state and local government election related networks or assets.”

 “Our latest partnership with Bugcrowd is yet another proactive measure we are taking to ensure our elections are cyber secure,” said Jeff Franklin, chief cybersecurity officer for the Secretary of State’s Office. “We look forward to actively engaging the private security researcher community so we can strengthen our systems and ensure Iowa continues to be a leader in elections and cybersecurity.”  

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected