Discussion about responsible disclosure definition
On January 20, 2021 two researchers raised the following questions and remarks concerning the definition of the Coordinated Vulnerability Disclosure. Please find below our answer and supplementary contextual information related to the context of Switzerland and Swiss Post.
- 1/6 : I think e-voting Responsible Disclosure is special. e-voting systems generally run for short, intense, periods, and are otherwise unused. They also have external deadlines, e.g. the end of voting or the end of the period in which the outcome can be challenged.
- 2/6 : So while 90 days is a common standard disclosure time, it might not be OK for elections. If the code isn't running until a long time in the future, there is neither any strong reason for immediate public disclosure, nor any particular reason for secrecy (except for PR).
- 3/6 : If the code isn't running now, but will be running in <90 days, then you may have a strong obligation to disclose publicly, and warn people not to start running or using it. I wouldn't sign a 90-day confidentiality deed <90 days from election day.
- 4/6 : If it is already running, then you have a serious dilemma for which I cannot think of a good solution. Telling candidates and voters is critically important, so is hiding the problem from attackers. Unfortunately, a confidentiality agreement can even disincentivise fixing.
- 5/6 : If you find out after public disclosure that some other authority is running the code in a government election without ever having let anyone with relevant knowledge examine it beforehand, then there is no good solution at that point.
- 6/6 : Bottom line: there will be bugs, and if all election code, design docs, specs, and everything, is openly available for public inspection a long time before the election, you have some chance of finding some of them. Don't ask us to keep them secret through election time.
- An interesting question: how essential is responsible/coordinated disclosure when there's no active user base? Why does the vendor need 90 days to patch a product that hasn't been used yet?
- Responsible Disclosure is a tricky problem with #EVoting and it is one that we discussed in detail in the expert dialogue (with important contributions by @VTeagueAus). Please see item 10.4.3 in the report for a summary of the discussion. https://bk.admin.ch/dam/bk/en/doku...