ElectionGuard is a free open-source software development kit that secures the results of elections and makes those results securely available to approved third-party organizations for validation; it also allows individual voters to confirm that their votes were correctly counted.
The bounty program invites security researchers (“whether full-time cybersecurity professionals, part-time hobbyists or students”) to probe ElectionGuard for high-impact vulnerabilities and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a “clear, concise proof of concept” (PoC) are eligible for awards ranging from $500 to $15,000 depending on the severity of the bug found.
In-scope products include the ElectionGuard specification and documentation (such as data-transmission issues like information leakage); the verifier reference implementation (bugs that allow attackers to say elections are valid when they aren’t); and Cryptography implementations (such as bugs that allow key or vote discovery by observing SDK messages).
The program is one prong of the company’s wider “Defending Democracy” program, under which Microsoft has pledged to protect campaigns from hacking; increase political advertising transparency online; explore ways to protect electoral processes with technology, and defend against disinformation campaigns.
Researchers said that the bug-bounty program is a welcome – if limited – addition to the private sector’s response to election meddling. However, they also highlighted the need for a more holistic effort, united across both public and private organizations.
“Russian interference in the 2016 election gave cybersecurity a quick moment in the political spotlight,” Monique Becenti, product and channel specialist at SiteLock, told Threatpost. “But when the cost of cybercrime reaches billions of dollars each year, election security needs to be top of mind for our political leaders. Since 2016, election security bills have been slow-moving. Some companies, like Microsoft, are rallying the security industry to address this issue head-on. The ElectionGuard Bounty program is an important step in the right direction, but we need political leaders who will champion this issue and ensure constituents and our elections stay secure.”
Not everyone is excited about the move; Richard Gold, head of security engineering at Digital Shadows, said that the program is limited to Microsoft’s proprietary solution, which makes its real-world impact limited at best.
“It’s great that companies like Microsoft are launching programs like this, but the question remains: how much is this kind of bug bounty going to be used?” he told Threatpost. “Bug-bounty programs need to be applied consistently in order to have a real impact. There is a trade-off in time and resources that need to be overcome in order for a program like this to be worthwhile.”
“Microsoft is committed to strengthening our partnership with the security research community as well as pursuing new areas for security improvement in emerging technology,” said Jarek Stanley, senior program manager at the Microsoft Security Response Center, in announcing the program. “We look forward to sharing more bounty updates and improvements in the coming months.”
Microsoft paid $4.4 million in bounty rewards between July 1, 2018 and June 30 across 11 bounty programs, with a top award of $200,000.