Microsoft to Reward Hackers for Finding Bugs in Open Source Election Software
Whether it’s American voting machines during the 2016 presidential election or India’s EVMs during 2014 general elections, the integrity, transparency, and security of electronic voting machines remained questionable, leaving a wound in the minds of many that is difficult to heal.
Many countries, including the largest democracy in the world i.e., India, believes that the best way to ensure the security of EVM technology is to make them opaque to bad actors, but in recent years a large section of the population is losing trust in any system that has been certified by a closed group of experts only.
To make a balance between transparency and security, in May 2019, Microsoft released a free, open-source software development kit (SDK) called ElectionGuard that aims to enable end-to-end verification of voting.
Microsoft’s ElectionGuard SDK can be integrated into voting systems and has been designed to “enable end-to-end verification of elections, open results to third-party organizations for secure validation, and allow individual voters to confirm their votes were correctly counted.”
ElectionGuard Bug Bounty Program
Since no software comes bugs-free, Microsoft today finally launched the ElectionGuard Bounty program, inviting security researchers from across the world to help the company discover high impact vulnerabilities in the ElectionGuard SDK.
“The ElectionGuard Bounty program invites security researchers to partner with Microsoft to secure ElectionGuard users, and is a part of Microsoft’s broader commitment to preserving and protecting electoral processes under the Defending Democracy Program,” the company says in a blog post published today.
“Researchers from across the globe, whether full-time cybersecurity professionals, part-time hobbyists, or students, are invited to discover high impact vulnerabilities in targeted areas of the ElectionGuard SDK and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD).”
ElectionGuard Bounty offers cybersecurity researchers a reward of up to $15,000 for eligible submissions with a clear and concise proof of concept (POC) to demonstrate how the discovered vulnerability could be exploited to achieve an in-scope security impact.
The ElectionGuard components that are currently in scope for bug bounty awards include ElectionGuard API SDK, ElectionGuard specification and documentation, and verifier reference implementation.
However, the tech giant says it will update the ElectionGuard bounty scope with additional components to award further research in the future.