Today we are launching the [ElectionGuard Bounty program](«http://www.microsoft.com/msrc/bounty-electionguard> >).
In May 2019, we announced the release of ElectionGuard, a free open-source SDK to make voting more secure, transparent, and accessible. ElectionGuard enables end-to-end verification of elections, open results to third-party organizations for secure validation, and allows individual voters to confirm their votes were correctly counted. The ElectionGuard Bounty program invites security researchers to partner with Microsoft to secure ElectionGuard users, and is a part of Microsoft’s broader commitment to preserving and protecting electoral processes under the Defending Democracy Program.
Researchers from across the globe, whether full time cyber security professionals, part-time hobbyists, or students, are invited to discover high impact vulnerabilities in targeted areas of the ElectionGuard SDK and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear, concise proof of concept (POC) are eligible for awards up to US$15,000.
Bug bounty programs are common among technology companies, where they are used to incentivize the identification and coordinated disclosure of security vulnerabilities. Bug bounty programs have been implemented by a large number of organizations, including the Department of Defense, United Airlines, Twitter, Google, Apple, Microsoft and many others.
Microsoft strongly believes close partnerships with researchers make customers more secure. Security researchers play an integral role in the ecosystem by discovering and reporting vulnerabilities to Microsoft through coordinated vulnerability disclosure. Security researchers have repeatedly demonstrated that working together helps protect customers and each year we partner together to better protect billions of customers worldwide.
Microsoft paid $4.4 million in bounty rewards between July 1, 2018 and June 30, 2019 across 11 bounty programs with a top award of $200,000. Further details about Microsoft’s Bug Bounty Programs are available here.
Microsoft is committed to strengthening our partnership with the security research community as well as pursuing new areas for security improvement in emerging technology. We look forward to sharing more bounty updates and improvements in the coming months.
Jarek Stanley, Senior Program Manager, MSRC