One of the largest bug bounty firms in the business has launched an initiative that will allow states’ election officials to test the security of election systems ahead of the 2018 midterm elections.
Redwood City, California-based Synack announced Tuesday its offering free crowdsourced remote penetration testing services to state and local governments until November.
Synack co-founder Jay Kaplan told CyberScoop the idea came together after a series of meetings with government officials, including top executives at the Department of Homeland Security, that discussed how the private sector could be doing more to ward off digital meddling. After Synack’s services are completed, states and localities can harden their systems based on the test’s results.
In a letter written to all 50 secretaries of state, which was provided to CyberScoop, Kaplan wrote: “Staying one step ahead of the adversary is critical to success. Our pro bono services look for vulnerabilities in remotely-accessible voter registration databases and online voter registration websites from a hacker’s perspective.”
Over the last 12 months, senior U.S. intelligence officials have warned of impending cyberattacks and other malicious attempts to interfere with the 2018 midterms. Former FBI Director James Comey also said in 2017 that he fully expected the Russian government and others to once again target the 2018 and 2020 U.S. elections.
Synack joins a short list of other U.S. technology companies, including Facebook, Alphabet Inc. and Cloudflare, that have publicly offered pro-bono technology or services to political campaigns or governments as part of broad election security efforts. For example, Google subsidiary Jigsaw recently announced a free distributed-denial-of-service (DDoS) protection tool for political campaigns, groups and organizers.
Any software or hardware flaw discovered by Synack through its “Election Security Initiative” will be privately analyzed and then disclosed to the affected vendor after the relevant state official is first notified.
Only voter registration databases and websites will be tested for vulnerabilities ahead of November, but in the future the program’s scope may expand to different systems and in-person consulting, Kaplan said.
At the moment, two states are already engaged with Synack on the initiative. A spokesperson declined to name which states signed up, but said the company expects significant interest and participation in the coming weeks. A total of $550,000 has been budgeted for phase one of the initiative, with an eye on potential expansion in the future.
Synack researchers involved in the initiative will need to pass a background check and hold either a U.S., U.K., Canadian, New Zealander or Australian passport, said Kaplan. This vetting process, Kaplan described, is unique to Synack. Other bug bounty firms, like Bugcrowd or HackerOne, leave the majority of their bounty programs open to the public.
The spokesperson described Synack’s vetting process in greater detail, noting that: “all members of the Synack Red Team must undergo a rigorous 5-step vetting process that includes background checks. The steps of the process are: 1) Application Review, 2) Behavioral Interview, 3) Skills Assessment, 4) Trust Assessment (including background and ID checks), 5) Acceptance and Monitoring on the platform …. Typically, U.S. government users prefer to engage only with the segment of the Synack Red Team from US or FVEY countries.”
This type of screening is what makes the company capable of pursuing such sensitive vulnerability research at the state level, Kaplan said. Today, the Homeland Security Department is already providing vulnerability scanning and testing services to states, but those efforts are generally constrained by the agency’s limited cybersecurity workforce and tight deadlines.
Bugcrowd, HackerOne and Synack have attracted considerable private investments, while the overall bug bounty market continues to grow.