We consider today to be an important milestone as part of our ongoing efforts to chart a new, forward approach to transparency in our elections infrastructure. We recognize that transparency in our critical infrastructure is both desired and not always championed across the industry. As part of our effort to shift the paradigm, we announce the publishing of the one of our public, comprehensive audits of our system, conducted in partnership with leading security consulting firm Trail of Bits.
Security has been our utmost priority since day one — in fact, the earliest roots of our company came from winning the ‘Hack to the Future’ hackathon at SXSW. Beyond the “hacker’s mindset” being embedded deep in our DNA, across our corporate and elections infrastructure we focus heavily on the practical aspects of security and a highly layered approach to provide defense in depth.
Audits and bug hunting are a normal, necessary part of any software development process. In order to facilitate the rapid iterations and learnings from our pilot programs, beyond our engagement with Trail of Bits, we continue to invest in frequent, ongoing audits by independent third parties external to Voatz. These audits involve a comprehensive examination of our voting platform, including the mobile application source code, backend infrastructure, and blockchain, as well as an assessment of the networks, computing devices, and processes used to transmit, process, and store voting data.
The publishing of today’s report is the first of many to come in the next several months. We have also voluntarily engaged with multiple agencies in DHS, including their Cybersecurity and Infrastructure Security Agency (CISA), one of the leading federal testing labs in the nation to review the technologies deployed in our pilots. These audits are ongoing, and due to the ever-evolving nature of threats along with the rapid iterations in the platform itself, repeated examinations of this kind are critical in our pursuit of security as a continuous exercise.
A historical summary of our various audits is available under the ‘Security Audits’ section of our FAQ.
We believe that working with collaborative security researchers is critical to the security of our elections infrastructure. As part of this philosophy, we are the first elections company in the world to open a public bug bounty program, since 2018, which grants qualified security researchers access to the latest versions of the Voatz mobile voting platform to report vulnerabilities and provide us valuable feedback. For those who want to probe more deeply, we also offer the opportunity to more qualified researchers to work with us directly.
Security Issue Disclosure Policy (LINK)
Throughout our security audits and testing process, we remain committed to providing as much transparency as possible about our system. Our full security issue disclosure policy is available here for reference.
For the protection of our customers and to protect against malicious attackers seeking to spread misinformation and/or to exploit reported but not yet resolved security issues, Voatz does not disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available. To minimize the potential disruption to the electoral process, Voatz makes public disclosure during defined Issue Disclosure Windows (IDWs) only.
An Issue Disclosure Window is a period of time when there is no election happening, and there is a reasonable period of time, say 30 days, before the start of the first early voting period in the next election and, say 7 days, after the election is certified, which is determined by state statute. In Florida, for example, the certification deadline is 14 days after Election Day; in California it is 30 days.
We continue to pursue comprehensive security measures as we evolve as a small company, and we take any reports of the existence of issues or vulnerabilities in our mobile voting platform with the highest degree of scrutiny and concern. We analyze the probability of risk around each issue by attempting to reproduce the issue from a real-world perspective and prepare a mitigation strategy accordingly.
All of this is in pursuit of our mission — that every citizen has the right to vote safely and securely regardless of their circumstances.
For more information regarding our security, please visit our frequently updated FAQ.