Ohio becomes first state to release vulnerability policy for election-related websites

The policy covers voter registration websites for Ohio residents and overseas and military voters, and provides researchers with liability protections.
ohio vulnerability disclosure
The vulnerability disclosure policy (VDP) covers registration websites for Ohio residents. (Getty Images)

Ohio’s secretary of state has established guidelines for security experts to find and help fix software flaws in the state’s election-related websites, the first such move by a state as the 2020 election approaches.

The vulnerability disclosure policy (VDP) covers registration websites for Ohio residents and overseas and military voters, among other sites, and provides legal liability protections for researchers. The program will bolster the efforts of Ohio Secretary of State Frank LaRose’s security team at a time when threats to election infrastructure “have never been greater,” the policy states. Under the policy, researchers are required to wait four months after reporting a vulnerability to Ohio officials before going public with it.

“We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other’s mistakes,” the policy says.

The VDP does not cover voting equipment, such as voting machines and electronic pollbooks.


Security experts said Ohio is the first known state to establish a VDP that covers election-related websites. Delaware previously published a general VDP, but it’s unclear how often it is used.

The new policy is another incremental step by election administrators and vendors to work with independent security researchers. It comes the week that Election Systems & Software, the biggest vendor of U.S. voting equipment, released its own VDP. The Department of Homeland Security’s cybersecurity division has tried to encourage states to set up VDPs by releasing a best practices guide for doing so.

“Ohio’s vulnerability disclosure policy is a terrific sign that transparency is increasing across the board for election security,” said Jack Cable, an elections-focused security researcher.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts