The Cybersecurity and Infrastructure Security Agency (CISA) released the Guide to Vulnerability Reporting for America’s Election Administrators. The guide walks election officials through the steps of establishing a vulnerability disclosure program. Vulnerability disclosures can be an effective way for organizations to benefit from cybersecurity expertise without having it resident to their organization, says CISA. 

“Election officials have spent years beefing up security to their systems and closing these vulnerability gaps to keep our elections safe and secure,” said CISA Director Christopher Krebs. “Cybersecurity researchers can be great and responsible partners in this effort and we are creating this guide as a way to help state and local election officials understand the support they can offer and how to work with them in our collective, whole of nation effort to protect our elections.”  

The guide aims to help election officials understand the role that the cybersecurity research community can play in helping officials keep systems secure so that the American public’s voice can be clearly heard. The guide includes a number of best practices for improving and addressing vulnerabilities within election systems, and offers a step-by-step guide for election administrators who seek to establish a successful vulnerability disclosure program.  The six steps include:

• Step 1: Identify Systems Where You Would Accept Security Testing, and those Off-Limits
• Step 2: Draft an Easy-to-Read Vulnerability Disclosure Policy (See Appendix III)
• Step 3: Establish a Way to Receive Reports/Conduct Follow-On Communication
• Step 4: Assign Someone to Thank and Communicate with Researchers
• Step 5: Assign Someone to Vet and Fix the Vulnerabilities
• Step 6: Consider Sharing Information with Other Affected Parties

To read the Guide to Vulnerability Reporting for America’s Election Administrators, and to learn more about election security visit, www.cisa.gov/election-security.