Voting-machine companies are thinking about vulnerability disclosure, bug bounty programs
Voting-equipment vendors expressed interest Thursday in establishing a program for the coordinated disclosure of hardware and software vulnerabilities in their equipment — a practice common in other industries and long championed by security experts.
An industry group offered support for a voluntary coordinated vulnerability disclosure (CVD) process that collaborates with ethical hackers to fix equipment flaws faster. The move comes as some security researchers and policymakers have criticized the industry’s big vendors for being slow to embrace ethical hacking.
The commitment to work with “good-faith researchers marks a significant turn in industry-wide thinking,” says a white paper issued by the Elections Industry-Special Interest Group (EI-SIG), part of the IT-Information Sharing and Analysis Center. The group includes the country’s three largest vendors — Dominion Voting Systems, Election Systems & Software (ES&S), and Hart InterCivic.
Perhaps the biggest challenge to establishing a CVD program will be aligning it with a testing and certification process — run by the federal Election Assistance Commission (EAC) — that can require entire voting systems to be retested or re-certified when software patches are applied. Certification experts and vendors drove that point home Thursday at a hearing at the EAC in Silver Spring, Maryland.
“[C]oordinated vulnerability disclosure programs won’t work unless the testing and certification process is modified to accept those kinds of inputs,” Chris Wlaschin, vice president of systems security at ES&S, told the EAC commissioners.
After his testimony, Wlaschin told CyberScoop that voting-system manufacturers “have warmed up to the idea” of a CVD. “It’s a team effort. We need to partner with ethical researchers. … It’s just taken some time.”
Jerome Lovato, whom the EAC tapped to lead its testing and certification program in May, said he was planning to convene a working group with industry and security experts to try to figure out how to resolve the tension between vulnerability disclosure and the current testing and certification regime.
One goal would be to establish a common definition of what exactly a vulnerability is in the context of voting equipment, he said. “A vulnerability could mean a lot of things,” Lovato told CyberScoop.
The vendors are also exploring the idea of a bug bounty program, another common practice in other industries in which security researchers are compensated for the flaws they find in an organization’s systems.
But setting that up with manufacturers will also be tricky, the industry group said.
“Because it is not possible to upload a voting machine to a secure platform for researchers to investigate without creating new vulnerabilities and security issues, they do not easily lend themselves to crowd-sourced testing platforms,” the group said.
Regardless, bug bounty expert Katie Moussouris cautioned that such programs are “not the most efficient way to secure voting equipment.”
“There are many known classes of vulnerabilities that should not take outsiders to find, but rather could be found using common tools and should be used by the vendors themselves to find those bugs,” Moussouris, founder and CEO of Luta Security, told CyberScoop.
Vendors’ efforts to beef up their systems come as the broader election ecosystem prepares for the 2020 election, which U.S. officials warn again will draw attempts at foreign interference.
That preparation includes the DEF CON Voting Village, which last week hosted voting tabulators, pollbooks, and other systems for hackers to probe for vulnerabilities. Despite the village featuring more gear this year, none of it came courtesy of the three big vendors. That, an organizer of the village told CyberScoop, is a sign that the industry’s “corporate culture isn’t quite there” in embracing ethical hackers.