Microsoft announced Oct. 18 that it launched a bug bounty program for ElectionGuard, its free open-source software development kit (SDK) which aims to make voting more secure, transparent, and accessible.
In a blog post, Jarek Stanley, senior program manager, Microsoft Security Response Center, said that the program “invites security researchers to partner with Microsoft to secure ElectionGuard users, and is a part of Microsoft’s broader commitment to preserving and protecting electoral processes under [Microsoft’s] Defending Democracy Program.”
Stanley said the international researchers invited to participate will include full-time cybersecurity professionals, part-time hobbyists, and students. They will be tasked with discovering “high impact vulnerabilities in targeted areas of the ElectionGuard SDK and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD).” Researchers are eligible for rewards from $500 to $15,000 when they provide Microsoft with a clear and concise proof of concept.
The ElectionGuard SDK includes multiple repositories, components, and reference implementations to guide implementers.
Microsoft provides further details for what is currently “in scope” for bounty rewards. It did note that that as additional ElectionGuard components are developed, they will update the bounty scope.
The components currently available for the bounty program are:
- ElectionGuard specification and documentation: Mathematical errors in the specification resulting in election vulnerability, including but not limited to proof checking procedures that say a proof is valid when it isn’t; transmission of data that can allow votes to be discovered; transmission of data that can allow discovery of secret keys; and transmission of data that can allow discovery of secret key shares.
- Verifier reference implementation: Vulnerabilities including, but not limited to inputs to the reference verifier that do not represent valid elections yet are reported to be valid by the verifier.
- ElectionGuard API SDK: C Cryptography implementations (excludes items appearing in the limitations from the README), including bugs in proof generation or proof sanity checking code; attacks allowing for key or vote discovery by observing SDK messages; and sequences of calls to the API in an expected order that result in an election that does not decrypt or verify.
“Microsoft strongly believes close partnerships with researchers make customers more secure,” Stanley said. “Security researchers play an integral role in the ecosystem by discovering and reporting vulnerabilities to Microsoft through coordinated vulnerability disclosure. Security researchers have repeatedly demonstrated that working together helps protect customers.”
