"Idaho Now Has a Vulnerability Disclosure Policy for Election Websites"

The Idaho secretary of state's office has become the fourth in the country to implement a vulnerability disclosure policy that allows white-hat hackers to legally probe the office's election-related websites for flaws. Under the new policy, security researchers will be able to inspect a set of five websites for potential or real security flaws, such as sensitive data exposures, and report them for correction without fear of retaliation or prosecution. The secretary's office is working with the Center for Internet Security (CIS), which operates the federally-funded Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) and will check any reports submitted under the new policy. The goal is to mitigate and disclose any confirmed vulnerabilities within 120 days. Idaho now joins Iowa, South Carolina, and Ohio as the only states where secretaries of state have implemented Vulnerability Disclosure Programs (VDPs) that allow independent researchers to test election-related systems legally. When researchers discover a potential vulnerability, the initial report will be reviewed by CIS under the new policy, and if the staff can replicate the flaw, they will notify Idaho's Information Technology (IT) team, who will begin mitigation. There are also restrictions on the types of research that can be conducted, with tests for Denial-of-Service and attempts to degrade services being prohibited. This article continues to discuss Idaho's vulnerability disclosure policy for election websites. 

StateScoop reports "Idaho Now Has a Vulnerability Disclosure Policy for Election Websites"