Coordinated Vulnerability Disclosure Policy
Dominion Voting Systems welcomes proactive engagement with our company on potential vulnerabilities to foster proposed disclosure in a coordinated and responsible manner. The collective goal of security researchers and Dominion is to reduce risk with due consideration for the entire operating environment impacted by any potential vulnerability.
This policy applies to any digital assets owned, operated, or maintained by Dominion Voting Systems, including our public-facing website and company products.
Email: [email protected]
We are happy to work with you, if you prefer to send your message in encrypted form. The more details you provide, the easier it will be for us to investigate, triage and fix a potential issue.
What to provide
Reports may be submitted anonymously. Otherwise, you should submit:
- Contact information, including name(s), organization name (if applicable), email address and phone number, so that we can follow up with you. We ask for contact information only to consult our team when addressing your submission. We never share your contact information outside of the company.
- Technical description of the concern or vulnerability, including:
- When, where and how it was discovered
- Which products/devices/systems it is impacting
- If hardware, software, or ancillary components were acquired, how were they acquired
- Any additional information that is helpful, including details on the testing environment and tools used
- Whether you have notified anyone else about the potential vulnerability (i.e. federal agencies, election authorities, etc.)
In participating in our Coordinated Vulnerability Disclosure Program, researchers must adhere to the following prerequisites throughout the research and disclosure process, including initial research and testing:
- Follow this policy, as well as any other relevant laws, regulations, or agreements that apply to conducting and sharing your research.
- Ensure that you have written permission from Dominion Voting Systems in advance of any testing.
- Perform testing only on in-scope systems.
- Promptly report any discovered potential vulnerability directly to the company.
- Do not disrupt a live election or any voter's ability to cast their vote.
- Do not disclose any potential vulnerability details to the public before a mutually agreed-upon timeframe with Dominion Voting Systems has expired. Dominion will base such need on any time required for seeking federal and/or state government certification updates, as well as any applicable embargo periods (see below for embargo terms).
- Do not access any data beyond the minimum extent necessary to effectively demonstrate the presence of a potential vulnerability.
- Provide us with details of communication to any regulatory or election authority organizations or other third parties about any potential vulnerability, without delay.
Dominion reserves the right to require a signed Non-Disclosure Agreement when Dominion arranges for voluntary third-party testing engagements.
What Dominion Will Do
When working with our company according to this policy, you can expect Dominion to:
- Acknowledge reports within five (5) business days and provide the name of a contact.
- Notify appropriate company personnel, who may want to follow up with you to better understand what you've reported, or to confirm technical details/proof of concept.
- Strive to keep you informed about the progress of a potential vulnerability report review, as it is processed and appropriate action is determined.
- Notify you if the reported potential vulnerability is not accepted into the program due to not meeting program requirements or other findings.
- Work to address discovered potential vulnerabilities in a timely manner, per the above.
- Extend Safe Harbor for your vulnerability research that complies with this policy.
- Adhere to the legal rights and protections established for the conduct of good faith research specified in the Digital Millennium Copyright Act Section 1201 Exemptions.
Dominion reserves the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case-by-case basis.
Public reporting of potential vulnerabilities that may impact a live election may be embargoed until after the active election period if disclosing would negatively impact the conduct of the election.
When conducting vulnerability research according to this policy, we consider such research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), per Section 1201;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of elections and conducted in good faith.
This Safe Harbor provision is void if the vulnerability research is not conducted in conformance with this policy. In addition, you are expected to comply with all applicable laws and signed agreements.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us using our security reporting form.