Building a Vulnerability Disclosure Program that Works for Election Vendors and Hackers

Conference:  BlackHat USA 2020



The presentation discusses the importance of crowdsource security and supply chain security in the context of election technology. The speaker emphasizes the need for continuous testing, federal standards, and public awareness to ensure a more secure voting infrastructure.
  • Crowdsource security involves vulnerability disclosure programs, open bug bounties, and invite-only bug bounties
  • Manage crowdsource pen testing integrates open vulnerability discovery, automated scanning, and compliance-driven checklist approach
  • Continuous testing and federal standards are needed to improve election security
  • Supply chain security is crucial in ensuring the safety and trustworthiness of election technology components
The speaker personally conducts audits of supplier partners' supply chains to ensure that no malware or rogue components are present. They also extract firmware from a random sample of parts and review it against a golden standard to ensure it is not manipulated.


Election vendors are an integral part of American democracy. Because voting machines and the companies that manufacture them are so vital to our nation, their security practices and protections are under intense scrutiny, especially since the 2016 presidential election when Russian hackers attempted to disrupt American elections. This talk will explore the perspectives of voting vendors as well as security researchers. Ensuring that critical vulnerabilities are found and fixed is a complicated and sensitive process — and urgently requires a comprehensive solution. There are challenges such as privacy, communication, the certification processes, and remediation. The voting industry and the security researchers who are examining their products need a Vulnerability Disclosure Program so both communities can effectively work together to fix problems in election systems and ultimately make America’s democracy stronger and more resilient.The companies that make voting equipment and election systems are innovating to improve security, and looking for new ways to harden their systems against attacks. This presentation will explore those efforts as well as examine new models for researcher and election vendor collaboration including Coordinated Vulnerability Disclosure (CVD) programs, collaboration at the Voting Village at DEF CON and similar efforts, and Crowdsourced Penetration Testing. It will also look at ideas for improving the relationship between researchers and voting vendors. Additionally, the election industry has many lessons to share that leaders across the manufacturing space can learn from to better protect their own critical assets, information and customer base.