Minnesota Secretary Of State - Vulnerability Disclosure Program
Skip to main content

Vulnerability Disclosure Program


Vulnerability Disclosure Philosophy

The Office of the Minnesota Secretary of State believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between the Office and Security Researchers. Together, our partnership promotes the continued security and privacy of the Office of the Minnesota Secretary of State's users, systems, and data.

Security Researchers

The Office of the Minnesota Secretary of State accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, public and private customers, and consultants. The Office of the Minnesota Secretary of State defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability, or confidentiality of our services.

Scope

In Scope Domains

At the current time, only the following domains are covered by this this policy and are in scope for the vulnerability disclosure program:

  • apostille.sos.state.mn.us
  • apostille.sos.mn.gov
  • candidates.sos.state.mn.us
  • candidates.sos.mn.gov
  • caucusfinder.sos.state.mn.us
  • caucusfinder.sos.mn.gov
  • commissionsandappointments.sos.state.mn.us
  • commissionsandappointments.sos.mn.gov
  • commoncontent.sos.state.mn.us
  • commoncontent.sos.mn.gov
  • electionresults.sos.state.mn.us
  • electionresults.sos.mn.gov
  • electionresultsfiles.sos.state.mn.us
  • electionresultsfiles.sos.mn.gov
  • mblsportal.sos.state.mn.us
  • mblsportal.sos.mn.gov
  • mnvotes.sos.state.mn.us
  • mnvotes.sos.mn.gov
  • myballotmn.sos.state.mn.us
  • myballotmn.sos.mn.gov
  • notary.sos.state.mn.us
  • notary.sos.mn.gov
  • officialdocuments.sos.state.mn.us
  • officialdocuments.sos.mn.gov
  • pollfinder.sos.state.mn.us
  • pollfinder.sos.mn.gov
  • www.sos.state.mn.us
  • www.sos.mn.gov

Please check back frequently as the scope will be expanded over time.

Out of Scope testing

The following types of tests and reports are considered out of scope for this program:

  • Denial of Service tests or any other types of tests that could disrupt the access and use of our systems
  • Defacement
  • Physical vulnerability testing at our office locations and data centers
  • Social Engineering
  • Reporting informational vulnerabilities such as missing security headers, visible stack traces, potentially vulnerable 3rd party dependencies etc. unless they are exploitable. The Office of the Minnesota Secretary of State and its partners routinely scan the agency's web presence and are likely already aware of any issues that can be caught by an automated scan. The Office of the Minnesota Secretary of State is primarily interested in hearing about vulnerabilities that can actively be leveraged as opposed to theoretical issues.
  • Any actions that violate the good faith filing stance of the office. Researchers must not take any actions impersonating an existing customer or legal entity. For example: researchers must not take actions such submitting filings for a business that has not given the authority to do so, filing a lien against someone, performing an absentee voter request for an existing citizen, or submitting any voter related forms with false data. These types of testing will be considered fraudulent activity and will not fall under the vulnerability disclosure program's authorization provision.

Our Commitment to Researchers

  • Trust. We maintain trust and confidentiality in our professional exchanges with security researchers.
  • Respect. We treat all researchers with respect and recognize your contribution to keeping our customers safe and secure.
  • Transparency. We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy.
  • Common Good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.

What We Ask of Researchers

  • Trust. We request that you communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for our team to validate and address potential issues.
  • Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. We also ask that you stop testing and inform us immediately if you find any vulnerabilities that disclose sensitive personal information (e.g. social security numbers, driver's license numbers, date of birth) or financial information (e.g. credit card or banking information), or information classified as private under Minnesota Statutes, chapter 13.
  • Transparency. We request that researchers provide the technical details and background necessary for our team to identify and validate reported issues, using the form below.
  • Common Good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and the Office of the Minnesota Secretary of State will not recommend or pursue legal action related to your research. 

Outside of this authorization granted to you against in scope assets, you must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

The Office of the Minnesota Secretary of State does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Minnesota Secretary of State entity (e.g. other State of Minnesota or federal departments or agencies; local, or tribal governments; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Minnesota Secretary of State third party may independently determine whether to pursue legal action or remedies related to such activities. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Vulnerability Reporting and Coordinated Disclosure

The Office of the Minnesota Secretary of State recommends that security researchers share the details of any suspected vulnerabilities across any in scope asset using the web form below which will submit the report to the agency's vulnerability program hosted and managed by BugCrowd. The Office of the Minnesota Secretary of State's security team will acknowledge receipt of each vulnerability report within 7 business days, conduct a thorough investigation, and then take appropriate action for resolution. The Office of the Minnesota Secretary of State strives to remediate any in-scope leverageable vulnerability within 120 days. Researchers may disclose remediated vulnerabilities once given the go-ahead by the Office of the Minnesota Secretary of State or after 120 days (whichever comes first). Any violation of this timeline will be considered a breach of this policy and its protections. If you have any questions or comments about this program, contact us at vdp.oss@state.mn.us