Democratic tech vendors go under the cyber microscope
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
A new program is ramping up to help Democratic Party technology providers discover bugs in their systems before malicious hackers do.
Why it matters: Political organizations are often wary of participating in bug bounty programs — where researchers poke at an organization's systems to see if there are vulnerabilities — over fears that the findings would be weaponized against them by their opponents.
- But avoiding these programs also leaves highly targeted political organizations uninformed about the ways hackers can breach their systems.
Driving the news: Three political tech organizations — Higher Ground Labs, Trestle Collaborative and Zinc Collective — have opened applications for the third edition of The Good Catch, a bug bounty program dedicated to Democratic tech vendors.
- The program ran during the 2020 and 2022 election cycles, and this cycle's program will run up until next year's U.S. presidential election, Matt Hodges, executive director at Zinc Collective's Democrat-focused political tech lab, told Axios.
- Ideal tech vendors for the program include a range of companies, such as those that facilitate email marketing campaigns or those that let campaigns text voters with updates or donation requests.
What they're saying: "There's a lot of hesitation within all political technology to talk about security work, but we know from industry that things like bug bounty programs are common activities," Hodges said.
- "Being a little bit out front that we're doing this work can encourage other entities within this space to make similar types of investments," he added.
Flashback: In 2016, Russian hackers succeeded in stealing and publishing archives of emails from Hillary Clinton's campaign, putting Democrats on alert ever since.
How it works: Participating tech vendors will create an account on Federacy, an online program that manages bug bounty programs for organizations.
- Each company that signs up will keep its program private by default, meaning only vetted researchers will be invited to participate. But participating vendors can also decide to open up their bug bounty programs to the entire platform, Hodges said.
- Once their programs are up and running, vendors will start to receive reports of potentially exploitable security flaws on their systems, which they'll need to verify on their own.
- "There were a number of reports that came in that either simply were a misunderstanding of how the tool was supposed to work or just could not be replicated based on what the researcher reported," Hodges said of past years' reports.
Between the lines: To help amplify the effort in its third iteration, the program has hired a new manager: Will Rogers, former chief information security officer at Democratic political tech organization ActBlue.
- "This gave the opportunity to have impact across the spectrum of the Dem ecosystem from a tech perspective," Rogers told Axios.
- Rogers has helped run the bug bounty programs in his past roles, including at ActBlue, software company mParticle and Etsy.
The intrigue: The Good Catch will also help vendors figure out how to best remedy the vulnerabilities researchers uncover, Rogers said.
- If requested, the program can provide vendors with some general advice about how to stand up their security programs and can recommend other consultancy firms to help with more nuanced questions, Rogers added.
Zoom in: During the 2022 election cycle's program, researchers reported 118 vulnerabilities as part of The Good Catch, and 82% of those were confirmed and resolved, according to figures shared with Axios.
- Six tech vendors also participated in the program during the most recent cycle.
Yes, but: A bug bounty program is just one part of any organization's entire cybersecurity strategy, Rogers said.
Sign up for Axios’ cybersecurity newsletter Codebook here
