This Security Issue Disclosure Policy document sets forth the policies that Voatz uses to disclose security issues and resolutions with its Mobile Voting Platform.
The security of our election infrastructure is critical to the integrity of our democracy. Therefore, we value the input of security researchers acting in good faith to help us maintain a high standard for the security of our systems, which in turn gives all voters confidence in our electoral process. This includes encouraging responsible research and disclosure of issues. This policy sets forth our definition of good faith in the context of finding and reporting issues, as well as what you can expect from Voatz in return.
The scope of this policy includes only Internet-accessible election applications and infrastructure, including:
- App-based mobile voting platforms
- Web-based remote ballot marking systems
From time to time, Voatz may add additional items to the above list. Any systems not listed above are out-of-scope for security testing under this policy.
How to report
We recommend the following methods to report.
- Use our bug bounty programs.
- Directly via email to cso at voatz.com
From time to time, Voatz may add additional methods to the above list.
What you can expect from Voatz
When working with us according to this policy, you can expect us to:
- Always hold the integrity of the democratic process as critical to our mission.
- Extend Safe Harbor for your issue / vulnerability research that is related to this policy.
- Work with you to understand and validate your report, including a timely initial response to the submission.
- Work to remediate discovered issues / vulnerabilities within our budgetary and operational constraints.
- Recognize your contribution to improving our security, after remediation and at a time of our choosing if you are the first to report a unique issue / vulnerability, and if your report triggers a code or configuration change.
With your permission, we will disclose unfixed issues that you find with other security researchers to assist in their testing to avoid unnecessary duplication of effort.
What happens if an issue or vulnerability provides unintended access to data?
If an issue or vulnerability provides unintended access to data:
- Cease testing and submit a report immediately if you encounter any user or voter data during testing, such as Personally Identifiable Information (PII).
- Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
- Avoid downloading or extracting data of any kind. A screenshot of 3-5 records and/or a brief video is generally enough for your Proof of Concept.
Safe Harbor Policy
Voatz acknowledges the research community’s important role in securing our services. Due to our live systems’ designation as U.S. Critical Infrastructure, it is subject to strict monitoring and incident reporting requirements. We therefore ask that participants take special care to limit testing activities to our test environments. Unfortunately, Voatz is unable to guarantee safe harbor if you make attempts to access production assets and / or live election systems for testing purposes.
Our test environments have been designed to closely mirror our live environments and we encourage you to contact us if your research is inhibited in any way.
Voatz supports safe harbor for participants who:
- Use the test or beta versions of our mobile apps (Apple TestFlight or Google Play Beta) as provided through our program’s scope and the specific links on this page below.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party.
We will consider activities conducted consistent with this policy to constitute “authorized” conduct and will not pursue civil action or initiate a complaint against you. We will help to the extent we can if legal action is initiated by a third party against you. When conducting vulnerability research consistent with this policy, we consider the research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and / or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
- Lawful and helpful to the overall security of the Internet, and conducted in good faith; and
- You are expected, as always, to comply with all applicable laws.
Responsible Disclosure Policy
For the protection of our customers and to protect against malicious attackers seeking to sow misinformation and / or to exploit reported but not yet resolved security issues, Voatz does not disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available. To minimize the potential disruption to the electoral process, Voatz will make public disclosure during defined Issue Disclosure Windows (IDWs).
While we will always strongly consider your assessment and recommendations regarding vulnerability severity, Voatz retains the authority to determine what issues and / or vulnerabilities can and should be remediated and within what time frame. We will always prioritize our mission to administer fair elections and will address vulnerabilities to the best of our ability to achieve that goal.
The Voatz Security Policy is modeled after Apple’s security policy.
The timing of IDWs is determined by the election calendars of Voatz customers. Note, the nature of IDWs is inherently fluid (e.g. special elections to fill the position of a deceased elected official).
Last Updated: March 1, 2020