PROGRAM DESCRIPTION 

ElectionGuard is an open source software development kit (SDK) that makes voting more secure, transparent, and accessible. The ElectionGuard bounty program invites researchers across the globe to identify security vulnerabilities in targeted ElectionGuard repositories and share them with our team. Qualified submissions are eligible for bounty rewards from $500 to $15,000 USD. 

Bounties will be awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and the quality of the submission, and subject to the Microsoft Bounty Terms and Conditions.   

IN-SCOPE SERVICES AND PRODUCTS  

The ElectionGuard SDK includes multiple repositories, components, and reference implementations to guide implementers. The following components and vulnerability types are currently in scope for bounty awards. As additional components develop, we will update the bounty scope to award further research.    

  • ElectionGuard specification and documentation: Mathematical errors in the specification resulting in election vulnerability, including but not limited to  
    • Proof checking procedures that say a proof is valid when it isn't 
    • Transmission of data that can allow votes to be discovered 
    • Transmission of data that can allow discovery of secret keys 
    • Transmission of data that can allow discovery of secret key shares 
  • Verifier reference implementation: Vulnerabilities including but not limited to 
    • Inputs to the reference verifier that do not represent valid elections yet are reported to be valid by the verifier. 
  • ElectionGuard API SDK: C Cryptography implementations (excludes items appearing in the limitations from the README) 
    • Bugs in proof generation or proof sanity checking code 
    • Attacks allowing for key or vote discovery by observing SDK messages 
    • Sequences of calls to the API in an expected order that result in an election that does not decrypt or verify 

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION? 

The goal of the bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of ElectionGuard users. Vulnerability submissions must meet the following criteria to be eligible for bounty awards:  

  • Identify a previously unreported vulnerability in the latest version of the ElectionGuard SDK within the in-scope repositories. 
  • Include a clear, concise, proof of concept (PoC), either in writing or in video format, to demonstrate how this vulnerability or flaw could be exploited to achieve an in-scope security impact. 
    • This allows submissions to be reviewed as quickly as possible and supports higher bounty awards.  

 Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

HOW ARE PAYMENT AMOUNTS SET? 

Bounty awards range from $500 up to $15,000. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgment if their submission leads to a vulnerability fix. 

 

Security Impact

Report Quality

Award

Elevation of Privilege

Content Complete 

 

Baseline 

$15,000

 

$3,000

Information Disclosure

Content Complete 

 

Baseline

$15,000 

 

$3,000

Security Design Flaw

Content Complete 

 

Baseline

$8,000 

 

$1,000

Spoofing/Tampering

Content Complete 

 

Baseline

$3,000 

 

$500

Remote Denial of Service

Content Complete 

 

Baseline

$3,000 

 

$500

Security Impact

Report Quality

Award

Documentation or samples included in documentation are insecure or encourage insecurity. 

Content Complete

$1,000

Baseline 

$500

Content Complete: Includes all components required in the “what constituted an eligible submission” section of this bounty. 

Baseline: Includes some of the components but the contents are incomplete, inaccurate, or difficult to understand or reproduce. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when assessing the quality of each submission.  

OUT OF SCOPE VULNERABILITIES?   

The MSRC is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:    

  • Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community. 
  • Vulnerabilities in anything earlier than the current master branch 
  • Vulnerabilities based on user configuration or action, for example: 
    • Vulnerabilities requiring extensive or unlikely user actions 
    • Vulnerabilities which disable or do not use any built-in mitigation mechanisms 

We reserve the right to accept or reject any submission that we determine, in our sole discretion, falls into any of these or other categories of vulnerabilities even if otherwise eligible for a bounty. 

HOW DO I PROVIDE MY REPORT?  

Send your complete submission to Microsoft using the MSRC submission portal and the bug submission guidelines. We request you follow the Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions. 

Have questions? We're always available at secure@microsoft.com

BOUNTY AWARDS  

Microsoft retains sole discretion in determining award amounts and which submissions eligible and in scope.  

  • There are no restrictions on the number of qualified submissions an individual submitter may provide or number of awards a submitter may receive.  
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.   
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.    
  • If a submission is potentially eligible for multiple bounty programs, you will receive single highest payout award from a single bounty program.

TERMS AND CONDITIONS  

For additional information on Microsoft bounty program requirements and legal guidelines please see our Bounty Terms and our FAQ

 

Revision History

  • ​​​​​​October 16, 2019: Program launched