About

Contact

Resource Library

Vulnerability Disclosure Policy

Last Updated: January 11, 2026

  1. Introduction

The Election Security Exchange (“ESX,” “we,” “us,” or “our”) welcomes feedback from security researchers and the public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This Vulnerability Disclosure Policy (the “Policy”) outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us. This program does not provide monetary rewards or bounties for disclosures.

  1. Scope
    • In-Scope Systems
      • This Policy applies to all digital assets owned, operated, or maintained by ESX, including but not limited to web properties, ESX-managed election-security tools, and associated APIs.
    • Out-of-Scope Systems and Activities
      • Assets or other equipment not owned by the parties participating in this Policy.
      • Physical security testing.
      • Automated scanning at a volume that degrades system performance.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

  1. Our Commitments

When working with us, according to this Policy, you can expect us to:

  • Commit to acknowledging receipt of your report within three (3) business days and to working with you to understand and validate it.
  • Strive to keep you informed about the progress of a vulnerability as it is processed. Our team will perform initial triage and provide a status update on the issue’s validity and severity within ten (10) business days of acknowledging receipt of your report.
  • Work to remediate discovered vulnerabilities promptly, within our operational constraints.
  • Extend Safe Harbor for your vulnerability research that is related to this Policy.
  • Protect your identity and treat your report confidentially unless disclosure is required for remediation or by law; however, in appropriate cases at your request, we may publicly credit you.
  1. Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this Policy and any other relevant agreements. If there is any inconsistency between this Policy and any other applicable terms, then for activity conducted in good faith under this Policy and for the sole purpose of security research, the terms of this Policy will prevail.
  • Provide prompt reports about any vulnerability you’ve discovered that include, to the extent possible, the affected asset, reproduction steps, expected versus actual results, potential impact, and proof-of-concept materials.
  • Avoid violating others’ privacy, disrupting our systems, destroying data, or harming the user experience.
  • Use only Official Channels to discuss vulnerability information with us.
  • Provide us a reasonable amount of time (at least ninety (90) days from the initial report) to resolve the issue before you disclose it publicly.
  • Perform testing only on in-scope systems and respect what we have identified as out-of-scope systems and activities.
  • If a vulnerability provides unintended access to data:
    • Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept; and, 
    • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (“PII”), Personal Healthcare Information (“PHI”), financial or credit card data, or proprietary information.
    • Upon discovering nonpublic data, you must immediately cease testing, notify us, and purge any stored nonpublic data upon reporting a vulnerability.
  • Don’t send us any PII, PHI, or financial or proprietary information if you can avoid it; and, at our request, confirm deletion of any such or other materials.
  • You should only interact with test accounts you own or with explicit permission from the account holder.
  • Do not engage in extortion. This program does not provide monetary rewards or bounties for disclosures, and you grant us a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully paid-up, royalty-free license to use or otherwise exploit your report and all information or materials you provide.
  • Do not attempt to access third-party user accounts, email inboxes, or data belonging to unrelated parties.
  1. Unauthorized Test Methods

The following test methods are strictly forbidden as they can degrade system performance or violate user privacy:

  • Denial of Service (“DoS”) or Distributed Denial of Service (“DdoS”) attacks.
  • Automated scanning at a volume that degrades system performance.
  • Executing or attempting to execute resource exhaustion attacks.
  • Using brute-force, password-spraying, or credential-stuffing techniques.
  • Establishing persistence or pivoting to other systems.
  • Exfiltrating data.
  • Introducing malicious software, viruses, or worms.
  • Social engineering or phishing attempts against our employees or customers.
  • Testing third-party applications or websites that integrate with our systems.
  • Any physical attempts to compromise ESX facilities, infrastructure, or equipment. 
  1. Official Channels

Please report security issues via email to security@securingelections.org, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. We will coordinate the exchange of information on sensitive vulnerability details, if applicable, via an encrypted and secure channel after your initial report.

  1. Safe Harbor

When conducting vulnerability research, according to this Policy, we consider this research conducted under this Policy to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this Policy.
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms of Use (or our Acceptable Use Policy (“AUP”), if conducted by employees or others who are subject to it) that would interfere with conducting security research, and we waive those restrictions on a limited basis.
  • Lawful and helpful to the overall security of the Internet, and conducted in good faith.

We support the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs or those who use such devices, machines, or online services.

We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us.

This means that for Good Faith Security Research conducted with a good faith effort to comply with our program guidelines and while this program is active, we:

Will not bring legal action against you or report you, including for bypassing technological measures we use to protect the applications in scope; and,

Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our guidelines.

Keep in mind that: (1) we are not able to authorize security research on third-party infrastructure, and (2) third parties, such as other individuals, businesses, or law enforcement, are a third party is not bound by this safe harbor statement.

Safe Harbor protections do not apply to acts that intentionally cause harm, data loss, or privacy compromise.

  1. Questions/Contact

For questions or clarification about this program, including scope or Safe Harbor details, please contact us at security@securingelections.org.

  1. Updates and Version History

We may update this policy at any time. This table contains a history of this publication’s revisions:

VersionDatePurpose of Revision
1.0 (Original)11-11-2025Initial document
1.0 (Original, with edits)12-15-2025Attorney review
1.0 (Original, with edits)12-16-2025Adjudication
1.0 (Original, Final)01-11-2026Final legal and adjudication