SECURE IT Act Mandates Hacking Tests for Voting Systems, Creates Five-Year Bug Bounty Program

If you’ve ever worried about the security of the machines that count our votes, this bill is the fine print you’ve been waiting for. The Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act—or the SECURE IT Act—mandates that voting hardware and software must pass a series of simulated cyberattacks before they can be certified for use. Think of it as a required stress test for election tech.

Mandatory Stress Tests for Voting Machines

Section 2 of the bill is the big change for the voting system industry. It requires the Election Assistance Commission (EAC) to incorporate penetration testing into the standard testing and certification process for all voting systems. Penetration testing, often called 'pen testing,' means a team of experts attempts to hack the system to find vulnerabilities. This isn’t a suggestion; it’s now a requirement for initial certification, decertification, and recertification. The EAC has 180 days after the bill becomes law to implement this new testing standard.

To handle this specialized testing, the bill also shifts how the EAC accredits the labs doing the work. The National Institute of Standards and Technology (NIST) will recommend specific entities qualified to conduct this high-level pen testing, and the EAC will vote on their accreditation. Essentially, the bill ensures that the security checks are performed by experts specifically qualified in offensive cybersecurity, not just general hardware testing.

The Five-Year ‘Bug Bounty’ Pilot Program

Section 3 sets up a five-year pilot program called the Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems (VDPE). This is the part that brings in the outside security community. It creates a formal, legal framework for vetted cybersecurity researchers—the ethical hackers—to voluntarily test election systems and report any flaws they find. This is a huge deal because it addresses the legal risk that often prevents researchers from poking around election tech.

Under this program, if a researcher finds a flaw while acting in good faith, they are protected from legal action under the often-feared Computer Fraud and Abuse Act (18 U.S.C. 1030) and the Digital Millennium Copyright Act (17 U.S.C. 1201). This safe harbor is the key incentive for researchers to participate. They must, however, immediately report the vulnerability confidentially to the vendor, the EAC, and the Department of Homeland Security (DHS).

The Vendor Catch-22: Fixes and Deadlines

For election system vendors, the bill means more scrutiny and tighter deadlines. Once a vendor is notified of a critical or high-severity vulnerability, they must send a fix to the appropriate state and local election officials. If the fix is for a system already certified by the EAC, the Commission must review and approve that fix within 90 days. If the EAC doesn't complete the review within that 90-day window, the fix is automatically considered certified and can be deployed.

While this expedited 90-day rule is meant to prevent bureaucratic delays from holding up critical security patches, it presents a potential trade-off. Automatically certifying a fix if the EAC misses the deadline could, in a rare scenario, introduce a new, unvetted bug into the system. The bill requires that the vulnerability itself remain confidential for 180 days after it is reported. After that period, the vulnerability is reported to CISA to be added to the public Common Vulnerabilities and Exposures database, ensuring public knowledge of the flaw once it’s been addressed.

Overall, the SECURE IT Act moves election security from a voluntary exercise to a mandatory, standardized process. It’s a clear win for election integrity, relying on the principle that if you want a system to be secure, you have to let the experts try to break it first.