Microsoft Kicks-off ElectionGuard Bug Bounty Program

• ElectionGuard commits to end-to-end verification of elections and secure third-party validation.
• Eligible submissions with a clear, concise proof of concept (POC) are eligible for awards up to US$15,000.

In finding the right balance between transparency and security in voting through machines, in May 2019, Microsoft announced an open-source software development kit (SDK)—ElectionGuard, that aims to enable end-to-end verification of voting. The program launches today.

Why do we need ElectionGuard?

The use of machines in elections is normally questioned for its integrity and transparency during every election season. There is now a fair divide between people trusing and not trusting software-based voting machines. The issue arises because such systems are only vetted by a closed group of experts.

Bounty program highlights

Microsoft's ElectionGuard SDK can be integrated into voting systems and has been designed to “enable end-to-end verification of elections, open results to third-party organizations for secure validation, and allow individual voters to confirm their votes were correctly counted."

• Participants will have to identify high impact vulnerabilities in targeted ElectionGuard repositories and share them with the Microsoft team.
• Cybersecurity researchers, whether full-time cybersecurity professionals, part-time hobbyists, or students can participate in the program.
• A reward of up to $15,000 for eligible submissions with a clear and concise proof of concept (PoC).

"The ElectionGuard Bounty program invites security researchers to partner with Microsoft to secure ElectionGuard users, and is a part of Microsoft's broader commitment to preserving and protecting electoral processes under the Defending Democracy Program," the company says in its blog post.

Details you cannot miss

The ElectionGuard components that are currently in scope for bug bounty awards include ElectionGuard API SDK, ElectionGuard specification and documentation, and verifier reference implementation.

Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.

However, the tech giant says it will update the ElectionGuard bounty scope with additional components to award further in the future.

According to Microsoft, it has distributed over 4.4M (£3.6 million) to bounty hunters between July 1, 2018, and June 30, 2019, across 11 bounty programs. Its previous bounty program was dedicated to the security of Azure Security Lab.