How Coordinated Vulnerability Disclosure Can Boost Election Integrity and Public Perception
Trust and transparency between security researchers, government agencies, and the private sector have long faced roadblocks in collaboratively advancing the security of critical election technology infrastructure. However, recent events have shown tremendous progress is possible when these independent parties become partners working towards a common goal.
Recently, a panel of experts in election security and Coordinated Vulnerability Disclosure (CVD) convened to share advice and best practices with a small group of U.S. election officials. Let's take a look at the insights from Trevor Timmons, CTO of The Elections Group, HackerOne’s Chief Legal and Policy Officer, Ilona Cohen, and CTO and co-founder Alex Rice.
1. This year, The first collaborative engagement dedicated to establishing trust and demonstrating progress through coordinated vulnerability disclosure occurred at the Election Security Research Forum (ESFR) at MITRE Facility in McLean, VA.
ESFR was the first engagement between election technology providers and ethical hackers focused on coordinated vulnerability disclosure efforts related directly to voting systems. By working together under the principles of CVD, the participants quickly built trust and made substantial progress toward collaboration in the name of more secure election technology.
Key outcomes from the event included election technology providers gaining an appreciation for hackers’ positive intentions to secure the nation’s election infrastructure, hackers diving into election system technology to build subject matter expertise, and both sides benefiting from direct dialog and collaboration. Overall, there was a marked improvement in understanding and working relationships throughout the event. Establishing an opportunity to collaborate on election security technology was an important milestone for building trust and transparency in the election process, especially critical leading into a presidential election year.
2. CVD isn’t just for election technology providers. Truly securing election systems and infrastructure requires public sector government agencies like state and local elections teams to put a CVD program in place.
"By adopting a coordinated vulnerability disclosure program, you express openness to hearing about your vulnerabilities from the good guys before the bad actors have a chance to get to them."
— Trevor Timmons, CTO, The Elections Group
While most election tech companies now have CVD programs, uptake in the public sector has been more limited. States like Ohio and Iowa have already implemented CVD and are receiving findings allowing them to harden their defenses proactively. Federal agencies like the Department of Defense (DoD) have also run CVD programs for nearly a decade.
All public sector organizations must follow suit because state and local government teams also deploy complex, interconnected technical infrastructure from various third-party vendors. Like in private industry, government technology implementations have dependencies and vulnerabilities across products and suppliers. A breakdown anywhere in the supply chain can undermine election security, which means the "see something, say something" principle of CVD must be applied across the entire ecosystem of technology providers, state and local agencies, and other third parties for private vulnerability reporting. This will enable security issues to be responsibly disclosed and addressed wherever they originate.
3. Coordinated Vulnerability Disclosure is becoming a universal best practice in public and private sectors to proactively and transparently accept responsible reporting for vulnerabilities in digital assets.
“If you have an IP address on the internet, it is already getting scanned by bad actors. You are not stopping or starting that activity with the existence of a CVD program. Wouldn't you rather know some of the things that are found by just being on the internet?”
— Alex Rice, CTO, HackerOne
Coordinated vulnerability disclosure has already been widely adopted by the federal government and is now becoming more common at the state and local levels. The federal implementation began with the "Hack the Pentagon" back in 2016 and is now mandatory for all agencies, with requirements extending to government contractors, too.
States are moving to follow suit, with endorsement from the National Association of Secretaries of State. As one example, the Ohio Secretary of State has established a vulnerability disclosure program to identify security blindspots, provide transparency around flaws, and sleep better at night, knowing researchers are helping find issues. Tens of thousands of private sector organizations worldwide have established CVD programs and engage ethical hackers in bug bounty programs and pentesting.
CVD policies create crucial engagement with partners in the ethical hacking community to surface and responsibly address vulnerabilities. Ultimately, these policies are becoming a cybersecurity best practice across the public and private sectors to enable transparent remediation of system weaknesses through coordinated disclosure. Adoption continues to accelerate as more government funding and requirements prioritize establishing CVD programs.
4. Implementing a CVD signals an agency's commitment to proactively improving security through partnerships with the ethical hacker community. While it may sound daunting, a playbook exists to start your CVD program.
"If you have a small team and limited resources, that’s the reason to create a CVD, not a reason not to. At a previous company, my first step was hiring HackerOne in part because I wanted to leverage security researchers to be able to help my company identify and remediate vulnerabilities before I had a full staff in place to do that in-house."
— Ilona Cohen, Chief Legal and Policy Officer, HackerOne
- Technology: Start with the bare minimum, but don’t stop there. Run scanners to map external facing assets and implement penetration testing to uncover weaknesses. For public sector entities, CISA can assist with no-cost assessments. Then, plan to implement a CVD as soon as possible.
- Partners and providers: Requiring your third-party service providers to have disclosure policies and make sure they’re contractually obligated to fix known vulnerabilities.
- Learn from your peers: Talking to peers with mature programs will help new adopters understand the overall security benefits and best practices in setting up CVD.
- Leverage existing guidelines and vendor expertise: Federal requirements like NIST 800-216 outline important considerations to receive vulnerability reports. Setting up intake mechanisms without robust processes to analyze and act on reports will undermine success, and vendors like HackerOne offer setup consulting. Leveraging available guidance and partnerships helps new entrants institutionalize vulnerability coordination without costly reinvention.
- Securing budget: The CISA State and Local Cybersecurity grant program is a nationwide initiative to fund cybersecurity initiatives. The State Homeland Security Grant Program and the Urban Area Security Initiative Grant Program have existed for some time, and cybersecurity initiatives are allowable. Securing a new budget is challenging, so leveraging an expert CVD vendor to help you build the value proposition is recommended.
- Internal buy-in: Security incidents come with financial costs and create harmful reputational damage. The average cost of a breach today is $4.5 million. The cost is much higher in some instances, while the cost of setting up a CVD program is minuscule in comparison. Operational efficiencies gained from CVD and ethical hacker partners can help you identify and close unknown gaps in your defenses and harden your attack surface against bad actors.
The momentum behind CVD represents the inevitable movement toward transparency in cybersecurity and the collective defense of the world’s digital assets. To learn more about CVD best practices and join public and private sector leaders leveraging ethical hacker partnerships to strengthen systems, watch the full webinar or contact the experts at HackerOne.
The 8th Annual Hacker-Powered Security Report