Microsoft unveils bug bounty program for election software

The Microsoft Theatre in Los Angeles. (REUTERS / Mike Blake)


Written by

Microsoft on Friday said it was establishing a bug bounty program for its open-source election software, the latest move by the tech giant to try to bolster election security.

Microsoft is inviting researchers from anywhere and any background — whether elite industry professionals, tinkerers, or students — to find “high-impact vulnerabilities in targeted areas” of its ElectionGuard Software Development Kit, said Jarek Stanley, a senior program manager at the Microsoft Security Response Center.

Researchers can make up to $15,000 per bug they find and share through Microsoft’s coordinated vulnerability disclosure (CVD) program. They are being asked to hunt for bugs that could affect the integrity of data in the ElectionGuard software, including for example, the kit’s implementation of cryptography.

Big tech companies from Microsoft to Apple to Google all have bug bounty programs, but they are much rarer in the election security space. Voting equipment vendors, for example, are setting up a CVD program but have yet to pursue bug bounty policies.

Microsoft introduced ElectionGuard in May, an effort to boost voter confidence in the security of the ballot at a time of heightened attention on vulnerabilities in election infrastructure. The software helps third parties validate election results and voters ensure their ballots were correctly counted. ElectionGuard gives each voter a unique code to track the encrypted version of her vote to confirm that it was not altered.

Microsoft originally said ElectionGuard would become available to election officials this summer. It is unclear how widely adopted the software is. When asked that question, a Microsoft spokesperson pointed to a September blog from the company saying ElectionGuard was available on GitHub. Regardless, any change to the voting ecosystem takes time to implement given officials often plan to procure equipment long before deploying it.

The announcement follows Microsoft’s move in September, first reported by CyberScoop, to offer state and local election officials free security support for Windows 7, the antiquated and less secure operating system, used in voting systems through 2020.

-In this Story-

bug bounty, election security, Microsoft, open source