Certificate 7: Coordinated Vulnerability Disclosure for Election Systems
Stand up a coordinated vulnerability disclosure program aligned with H.R. 6315, ISO/IEC 29147, and CISA guidance.
ESAVA Educator
You'll be notified when this class opens for registration.
Program Features
- Interactive LMS Content
- Blockchain-based Certificate
Program Features
- Interactive LMS Content
- Blockchain-based Certificate
Description
Purpose Operationalize the coordinated vulnerability disclosure framework contemplated by H.R. 6315 (the SECURE IT Act) so that election technology can receive — and act on — researcher findings without legal ambiguity.
Who It’s For
- Voting system vendor PSIRT and security leadership
- State Secretaries of State and election directors weighing public-disclosure policy
- Compliance counsel drafting researcher safe-harbor language
- Independent security researchers participating in election-system VDPs
- EAC staff reviewing vendor disclosure obligations
What You Will Learn
- The standalone H.R. 6315 framework and how it differs from §6805
- ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling)
- Researcher safe-harbor language: scope, conduct, and limitations
- Encrypted submission portals, triage workflows, and CVSS scoring
- Coordinated disclosure timing: vendor, jurisdiction, and public advisory
- CISA coordination expectations for election-sector vulnerabilities
- Public advisory publishing and post-disclosure follow-through
Outcome Practitioners can stand up a defensible CVD program that protects researchers, vendors, and election officials simultaneously.
Federal Grant Eligibility
This certificate supports compliance with NDAA FY2025 §6805, which amends the Help America Vote Act of 2002 (HAVA) to require penetration testing as part of federal voting-system certification. Tuition is an allowable use of HAVA Election Security Grant funds (Title I §101) when the learner is an election official, election IT staff member, auditor, or contractor supporting the certification or operation of voting systems.
Individual and group enrollment receipts include the line items, learner roster, and completion record most state EAC sub-grant offices require for reimbursement. State Homeland Security Grant Program (SHSGP) election-security set-asides and state-level election security grants are also commonly used to fund ESAVA enrollment.
Eligible under HAVA §101 cybersecurity allowable uses; pair with state SHSGP set-aside if available.
Need help routing payment through your state's HAVA pipeline? Use Request Grant-Funded Enrollment and we will provide a justification memo, scope-of-training letter, and W-9 sized to your state's reimbursement form.
Program Syllabus
Syllabus / Topics Covered
Module 1 – Statutory and Standards Foundation
- H.R. 6315 (SECURE IT Act) Coordinated Vulnerability Disclosure pilot
- How H.R. 6315 differs from §6805 certification testing
- ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (handling)
- CISA expectations for election-sector vulnerabilities
Module 2 – Researcher Safe Harbor and Legal Framework
- Drafting safe-harbor language: scope, conduct, and limits
- Computer Fraud and Abuse Act considerations
- Coordinating with state election counsel
Module 3 – Submission Portal Operations
- Encrypted submission portal design
- Researcher onboarding and identity verification
- Communication channels and response timelines
Module 4 – Triage, Scoring, and Severity
- CVSS v3.1 / v4.0 scoring for election-system findings
- Election-impact weighting beyond CVSS
- Reproducibility and evidence handling
Module 5 – Coordinated Disclosure Timing
- Vendor, jurisdiction, and public advisory phases
- Embargo windows and election-cycle awareness
- Multi-vendor coordination scenarios
Module 6 – CISA Coordination and Public Advisory
- Engaging CISA election security advisors
- Drafting public advisories that protect operations and trust
- Post-disclosure follow-through and metrics