Top voting vendor ES&S publishes vulnerability disclosure policy

"We think it’s important to have that safe harbor language out there to set expectations," said ESS's Chris Wlaschin.
election security
Christopher Wlaschin speaks Oct. 18, 2017, at CyberTalks in Washington, D.C. (CyberScoop)

Election Systems & Software, the biggest vendor of U.S. voting equipment, on Wednesday announced a policy to work more closely with security researchers to find software bugs in the company’s IT networks and websites.

“Hackers are going to hack, researchers are going to research, whether or not there’s a policy in place,” Chris Wlaschin, ES&S’s vice president of systems security, told CyberScoop. “We think it’s important to have that safe harbor language out there to set expectations.”

The policy allows researchers to probe ES&S’s corporate systems and public-facing websites, but not the election systems in place at jurisdictions around the country, which are subject to different testing regimes. The ES&S policy gives the company 90 days to fix vulnerabilities before researchers can report on them publicly — a standard timeline in the research community.

For ES&S, the policy marks another step in collaborating with a white-hat hacking community with which it once clashed. The Omaha, Nebraska-based voting machine maker was one of multiple vendors in 2018 to criticize the Voting Village, a site at the DEF CON hacking conference where researchers examined equipment, as unrealistic and sensational.


Since then, voting equipment vendors have gradually embraced white-hat hacking and more public scrutiny of their systems. Last fall, the vendors released a request for ideas in setting up an industry-wide vulnerability disclosure program.

Wlaschin announced the new policy on Wednesday at Black Hat, one of the largest security conferences in the world.

Jack Cable, a white-hat hacker who previously found a bug in ES&S’s corporate virtual private networking product, welcomed the policy.

“The policy strikes a good middle ground of authorizing testing for systems under ES&S’s control while still accepting reports for systems for which they cannot authorize testing,” Cable told CyberScoop. “The next step is to build partnerships between vendors, election officials, and groups like the Voting Village to have full-fledged public assessments.”

“I hope that other vendors follow suit and welcome hackers with open arms,” Cable said.


Kevin Skoglund, another security researcher who has worked with ES&S, credited the new policy for including “reasonable provisions for safe harbor, scope and disclosure. It even alludes to a program to provide access to equipment.” He, too, said he hoped other vendors would publish a policy.

Kay Stimson, a spokesperson for Dominion Voting Systems, another top voting equipment vendor, said the company planned to release a vulnerability disclosure policy in the coming weeks. A spokesperson for Hart InterCivic, another big vendor, did not respond to a request for comment.

The ES&S announcement follows the release last week by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency of a guide for election officials interested in establishing their own vulnerability disclosure programs.

The work to secure election-related infrastructure comes as U.S. officials continue to warn that the 2020 election will draw foreign interference attempts.

On Wednesday at the Black Hat virtual conference, CISA Director Chris Krebs urged voters to be vigilant in the face of disinformation campaigns and patient in waiting for votes to be counted. “The last measure of resilience in the 2020 election is going to be an informed, patient voter,” he said.


UPDATE, 08/06/20, 10:03 a.m. EDTThe story has been updated with a statement from Dominion Voting Systems. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts