IT-ISAC Elections Industry Special Interest Group Requests for Information on Implementing a Crowd-sourced Coordinated Vulnerability Disclosure Program
September 20, 2019
On August 15, 2019, the IT-ISAC Elections Industry Special Interest Group released a paper that detailed the commitment of voting systems manufacturers to the development and implementation of corporate Coordinated Vulnerability Disclosure (CVD) Programs. The white paper also noted the value of Crowd-Sourced CVD programs and discussed potential challenges in applying such programs to the elections industry and noted that the SIG would create a Request for Information to solicit feedback on how crowd-sourced CVD programs could be implemented in the elections industry.
The IT-ISAC Elections Industry Special Interest Group seeks public input, comments and suggestions on the following challenges:
How to manage a crowd-sourced CVD program on systems that are designed to be closed, isolated, and disconnected from the Internet including stand-alone embedded systems?
How to ensure that those engaging in a crowd-sourced CVD program are not nefarious actors seeking sensitive information that can then be used in attacks against the elections’ infrastructure?
How best to ensure the confidentiality of the researcher findings so that vulnerability announcements are disclosed simultaneously with a fix or mitigation for the vulnerability
Comments and input should please be sent to firstname.lastname@example.org by October 21, 2019.