Coordinated Vulnerability Disclosure Policy

Scope

This policy applies to any commercial products developed by Dominion Voting Systems. To report a potential security issue or potential vulnerability for a Dominion-developed product or technology, email: [email protected].

We are happy to work with you if you prefer to send your message in encrypted form. The more details you provide, the easier it will be for us to investigate, triage, and fix a potential issue.

Potential vulnerabilities in third-party components, including operating systems, should not be reported via this process unless a researcher can specify and demonstrate how the third-party component vulnerability could result in a potential vulnerability in Dominion-developed products.

How to Submit a Report

Reports may be submitted anonymously.  Otherwise, you should submit:

• Contact information, including name(s), email address, and phone number, so that we can follow up with you. We ask for contact information only so that our team can consult with you, if needed, when addressing your submission.
• Technical description of the concern or potential vulnerability, including:
  - When, where and how it was discovered
  - Which product(s) or device(s) it may impact
  - If hardware, software, or ancillary components were acquired, how were they acquired
  - Any additional information that is helpful, including details on the testing environment and tools used
• Whether you have notified anyone else about the potential vulnerability, such as an election authority or other third parties.

Reporting Guidelines

In participating in our Coordinated Vulnerability Disclosure Program, researchers must adhere to the following prerequisites throughout the research and disclosure process, including initial research and testing:

• Follow this policy, as well as any other relevant laws, regulations, or agreements that apply to conducting and sharing your research.
• Ensure that you have written permission from Dominion Voting Systems in advance of any testing.
• Perform testing only on in-scope systems.
• Promptly report any discovered potential vulnerability directly to the company.
• Do not disrupt a live election or any voter's ability to cast their vote.
• Do not disclose any potential vulnerability details to the public before a mutually agreed-upon timeframe with Dominion Voting Systems has expired. Dominion will base such need on any time required for seeking federal and/or state government certification updates, as well as any applicable embargo periods (see below for embargo terms).
• Do not access any data beyond the minimum extent necessary to effectively demonstrate the presence of a potential vulnerability.
• Provide us with details of communication to any regulatory or election authority organizations or other third parties about any potential vulnerability, without delay.

Dominion reserves the right to require a signed Non-Disclosure Agreement when Dominion arranges for voluntary third-party testing engagements.

By submitting information, you agree that your submission will be governed by Dominion's Privacy Statement and Terms of Use.

What Dominion Will Do

When working with our company according to this policy, you can expect Dominion to:

• Acknowledge reports within five (5) business days and provide the name of a contact.
• Notify appropriate company personnel, who may want to follow up with you to better understand what you've reported, or to confirm technical details/proof of concept.
• Strive to keep you informed about the progress of a potential vulnerability report review, as it is processed and appropriate action is determined.
• Notify you if the reported potential vulnerability is not accepted into the program due to not meeting program requirements or other findings.
• Work to address discovered potential vulnerabilities in a timely manner, per the above.
• Extend Safe Harbor for your vulnerability research that complies with this policy.
• Adhere to the legal rights and protections established for the conduct of good faith research specified in the Digital Millennium Copyright Act Section 1201 Exemptions.

Dominion reserves the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case-by-case basis.

Embargo

Public reporting of potential vulnerabilities that may impact a live election may be embargoed until after the active election period if disclosing would negatively impact the conduct of the election.

Safe Habor

When conducting vulnerability research according to this policy, we consider such research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), per Section 1201;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of elections and conducted in good faith.

This Safe Harbor provision is void if the vulnerability research is not conducted in conformance with this policy. In addition, you are expected to comply with all applicable laws and signed agreements.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us using our security reporting form.