All software is vulnerable – the question is how you manage it

We all want perfect security. And yet, we all know there's no such thing. At VotingWorks, we've built a particularly secure voting system, and we've made it fully open-source for transparency. Still, if anyone claims our system is perfectly secure, we'll be the first to correct them. Every system is vulnerable, given enough effort and time.

So if every system is vulnerable, how can you judge how securely a system is designed? One way is how an organization handles vulnerabilities as they're discovered and reported. The more open and clear, the more accountable that organization is to the public, the better off we all are. That's what we want to do at VotingWorks – to keep ourselves accountable to the public in everything we do. Handling reported vulnerabilities clearly and openly is a big part of that goal. Through complete transparency, we believe we can earn voters' and election administrators' trust.

Today, we're proud to announce that VotingWorks is now a CVE Numbering Authority. This means we have joined a global community of organizations that work to ensure that vulnerabilities are properly disclosed and mitigated. We have a standard, simple policy for vulnerabilities in our system to be reported and disclosed, and we publish our security advisories. We have selected CISA as our root numbering authority, which means we will consult with CISA on improving our policies over time. CISA is deeply experienced in critical infrastructure technology, which makes them an obvious fit for our work.

So, if you find a vulnerability in our products, please report it. We will work closely with you to address the issue and disclose it as quickly as possible.