1 (800) 585-9694
Get Started
Get Started

Vulnerability Disclosure Policy

Last modified on May 27, 2026.

Our Commitment

Simply Voting takes the security of our platform and the integrity of elections conducted on it seriously. We welcome reports from security researchers who discover potential vulnerabilities in our systems. This policy describes how to report vulnerabilities to us and what you can expect in return.

Scope

In scope:

  • The Simply Voting Election Manager application at www1.simplyvoting.com/manage/
  • Simply Voting voting websites hosted on our infrastructure
  • Simply Voting APIs
  • Simply Voting authentication and administrative systems

Out of scope:

  • Election data, voter information, or ballots belonging to our clients
  • Third-party services and infrastructure we do not control
  • Denial-of-service attacks of any kind
  • Social engineering of Simply Voting employees or clients
  • Physical security testing
  • Vulnerabilities in outdated browsers or platforms no longer in mainstream support

If you are unsure whether a target is in scope, contact us before testing.

Reporting a Vulnerability

Send your report to security@simplyvoting.com. For sensitive findings, you may encrypt your message using our PGP key (see below).

Please include:

  • A description of the vulnerability and its potential impact
  • The affected URL, component, or system
  • Step-by-step reproduction instructions
  • Any screenshots, logs, or proof-of-concept code that supports your finding
  • Your name or handle (for acknowledgement, if desired)

Our Process

Once we receive your report, we will:

  1. Acknowledge receipt within 3 business days
  2. Triage and validate the finding, typically within 10 business days
  3. Keep you informed of our remediation progress
  4. Target remediation within 90 days of validation for significant findings
  5. Notify you when the vulnerability has been resolved
  6. Coordinate disclosure timing with you before any public disclosure

Safe Harbor

Simply Voting will not pursue legal action against researchers who:

  • Act in good faith and comply with this policy
  • Avoid accessing, modifying, or deleting data that does not belong to them
  • Do not disrupt or degrade our services or those of our clients
  • Do not exploit a vulnerability beyond what is needed to demonstrate it
  • Disclose findings to us before making them public

We consider good-faith security research conducted under this policy to be authorized. If legal action is initiated by a third party, we will make clear that your research was conducted in accordance with this policy.

Acknowledgements

We believe in recognizing the researchers who help keep our platform secure. With your permission, we will list your name or handle on our Security Acknowledgements page.

Simply Voting may, at its sole discretion, provide discretionary rewards for exceptional findings.

We do not operate a paid bug bounty program at this time.

Coordinated Vulnerability Disclosure

This policy is designed to support coordinated vulnerability disclosure consistent with internationally recognized standards, including ISO/IEC 29147. Our goal is to ensure that vulnerabilities are remediated before public disclosure, protecting the elections and organizations that rely on our platform.

Contact

Email: security@simplyvoting.com
PGP key: https://www.simplyvoting.com/pgp-key.txt
Response time: Within 3 business days

For general security inquiries or to learn about our security practices, visit our Security & Reliability page.