Coordinated Vulnerability Disclosure Policy
Dominion Voting Systems welcomes feedback from the security research community. If you believe that you have discovered a vulnerability in any of our systems or products, we want to hear from you so that we can investigate.
This policy applies to any digital assets owned, operated, or maintained by Dominion Voting Systems, including our public-facing website and company products.
Email: [email protected]
We are happy to work with you, if you prefer to send your message in encrypted form. The more details you provide, the easier it will be for us to investigate, triage and fix a potential issue.
What to provide
Reports may be submitted anonymously. Otherwise, you should submit:
- Contact information, including name(s), organization name (if applicable), email address and phone number, so that we can follow up with you. We ask for contact information only to consult our team when addressing your submission. We never share your contact information outside of the company.
- Technical description of the concern or vulnerability, including:
- When, where and how it was discovered
- Which products/devices/systems it is impacting
- Any additional information that is helpful, including details on the testing environment and tools used
- Whether you have notified anyone else about the potential vulnerability (i.e. federal agencies, election authorities, etc.)
In participating in our VDP, we ask that you:
- Play by the rules. This includes following this policy, as well as any other relevant laws and agreements in conducting your research. If there is any inconsistency between this policy and any other relevant terms, this policy will prevail.
- Promptly report any vulnerability that you’ve discovered directly to the company.
- Avoid violating the privacy of others, damaging or disrupting our systems, destroying/modifying/exfilterating data and/or harming user experience, to include disrupting a live election or any voter's ability to cast their vote.
- Use only Official Channels (listed on this page) to discuss vulnerability information with us.
- Keep the details of any discovered vulnerabilities confidential until they are fixed and/or mitigated.
- Perform testing only on in-scope systems listed above.
- To the greatest extent possible, only interact with test accounts you own, or accounts with explicit permission from the account owner.
- Do not access any data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability. If you encounter any Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information while testing, we ask that you cease testing and immediately submit a report.
- Agree to not publicly disclose a reported vulnerability until after a fix or mitigation has been released and the program owner has provided permission to disclose, OR after 90 days from submission (whichever is sooner), subject to any applicable embargo periods (see below for Embargo terms).
What Dominion Will Do
When working with us according to this policy, you can expect us to:
- Acknowledge reports within fix (5) business days and provide the name of a contact person
- Notify appropriate security personnel, who may want to follow up with you to better understand what you've reported, or to confirm technical details
- Strive to keep you informed about the progress of a vulnerability report review, as it is processed, and appropriate action is determined
- Work to remediate discovered vulnerabilities in a timely manner - per the above, mitigations will be published/released within ninety (90) days.
- Extend Safe Harbor for your vulnerability research that is related to this policy
- Adhere to the legal rights and protections established for the conduct of good faith research specified in the Digital Millennium Copyright Act Section 1201 Exemptions
- Reserve the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case-by-case basis.
Critical vulnerabilities that may impact a live election may be embargoed until after the active election period if disclosing would negatively impact the conduction of the election.
When conducting vulnerability research according to this policy, we consider such research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), per Section 1201;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of elections and conducted in good faith.
This Safe Harbor provision is void if the vulnerability research is not conducted in conformance with this policy. In addition, you are expected to comply with all applicable laws and signed agreements. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us using our security reporting form.