bug bounty

Iowa launches vulnerability disclosure program for election websites

Iowa has created a vulnerability disclosure program (VDP) for its election-related websites.

Partnering with Bugcrowd, Iowa is inviting security researchers to test five websites of the Office of Iowa Secretary of State. So far, more than 50 researchers have participated in the program, officials said.

“We already have a strong infrastructure in place, but election cybersecurity is a race without a finish line,” Secretary of State Paul Pate said in a statement. “We are bolstering our cyber maturity by allowing responsible testing and reporting of our systems to the private sector.”

VDPs are recommended by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. The Office of Management and Budget and CISA recently issued guidance to federal agencies on how to set up vulnerability research and disclosure programs. Instructions on how election administrators can set up their own VDPs are available on CISA’s website.

Iowa is the second state to have instituted a VDP. In August, Ohio’s Secretary of State, Frank LaRose announced a program with HackerOne to cover the state’s election-related websites.

Election Systems & Software, the biggest vendor of U.S. voting equipment, announced its own VDP in August covering the company’s corporate IT networks and public facing websites. It does not cover the voting machines and warns that “this policy does not give authorization to test state and local government election related networks or assets.”

 “Our latest partnership with Bugcrowd is yet another proactive measure we are taking to ensure our elections are cyber secure,” said Jeff Franklin, chief cybersecurity officer for the Secretary of State’s Office. “We look forward to actively engaging the private security researcher community so we can strengthen our systems and ensure Iowa continues to be a leader in elections and cybersecurity.”  

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected