Ohio becomes first state to release vulnerability policy for election-related websites

Ohio’s secretary of state has established guidelines for security experts to find and help fix software flaws in the state’s election-related websites, the first such move by a state as the 2020 election approaches.

The vulnerability disclosure policy (VDP) covers registration websites for Ohio residents and overseas and military voters, among other sites, and provides legal liability protections for researchers. The program will bolster the efforts of Ohio Secretary of State Frank LaRose’s security team at a time when threats to election infrastructure “have never been greater,” the policy states. Under the policy, researchers are required to wait four months after reporting a vulnerability to Ohio officials before going public with it.

“We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes,” the policy says.

The VDP does not cover voting equipment, such as voting machines and electronic pollbooks.

Security experts said Ohio is the first known state to establish a VDP that covers election-related websites. Delaware previously published a general VDP, but it’s unclear how often it is used.

The new policy is another incremental step by election administrators and vendors to work with independent security researchers. It comes the week that Election Systems & Software, the biggest vendor of U.S. voting equipment, released its own VDP. The Department of Homeland Security’s cybersecurity division has tried to encourage states to set up VDPs by releasing a best practices guide for doing so.

“Ohio’s vulnerability disclosure policy is a terrific sign that transparency is increasing across the board for election security,” said Jack Cable, an elections-focused security researcher.