COLUMBUS – Today, Ohio Secretary of State Frank LaRose announced the first reports submitted under his first-in-the-nation Vulnerability Disclosure Policy are now publicly available online. Last year, Ohio broke new ground by becoming the first Secretary of State to implement a Vulnerability Disclosure Policy.
The policy establishes procedures for outside researchers to inspect the Secretary of State’s website for vulnerabilities. Once those vulnerabilities are reported, it allows 120 calendar days for LaRose’s office to repair the vulnerability before the researcher may publicly announce its discovery. Having a defined time period provides assurances to the cybersecurity community that reporting of potential vulnerabilities will be treated with the seriousness they deserve.
It’s common for both private and public entities’ websites to have vulnerabilities of varying degrees of critical urgency, and in turn, many private companies utilize Vulnerability Disclosure Policies. By asking cyber-security researchers to discover and share those vulnerabilities, the organization can move swiftly to remedy the problem. In fact, many private companies offer financial incentives for white-hat hackers to discover vulnerabilities on their website.
“Whether you’re Verizon, Uber, the Pentagon, or our office, asking white hat hackers to dig into your website’s vulnerabilities is just smart policy,” said LaRose. “Thanks to the help of some highly regarded and civically-minded cyber-security researchers, a few minor issues were quickly resolved. Voters need to have confidence in Ohio‘s elections systems and we’re going above and beyond to provide that assurance.”
Since the inception of the policy, five reports have been submitted and four reports have been resolved. The outstanding report is still within the window of review and is not critical in nature. The issues that were resolved did not negatively impact any users of the Ohio Secretary of State’s website and were swiftly resolved. Additionally, none of the identified vulnerabilities impacted voting or related systems. The Ohio Secretary of State HackerOne profile page can be accessed by clicking here: https://hackerone.com/ohiosecretaryofstate.
Since Secretary LaRose implemented the 2019 Election Security Directive, Ohio has been a national leader in election security. That directive set in place a 34-point security checklist for both the county boards and Secretary of State’s office. Those requirements were improved upon when the Secretary issued the 2020 Election Security & Accessibility Directive and continues Ohio’s position as the national leader in election security.