Security contact

We appreciate every report, however, please take into account that our team is very occupied and thus will not respond to reports that we qualify as low severity or invalid (for examples server DoS or headers”X-Powered-By”). So please, don’t report these kind of things, because we won’t take them into consideration.

If you discover a security issue with an election, please read our Responsible Disclosure policy and contact us in [email protected]. Your report must include:

  • Vulnerability description
  • Reproduction steps

A member of our security team will confirm the validity of the Vulnerability, determine its impact and develop a fix. This fix will be applied Un miembro de nuestro equipo de seguridad confirmará la validez de la vulnerabilidad, determinará su impacto y desarrollará su arreglo. Este arreglo será aplicado as soon as possible.

PGP key to send the report

To facilitate the secure reception and sending of security reports, we provide the following PGP key for confidential submission:

  • Key ID: 7759 37D8
  • Fingerprint: 77BD 5F94 0D8B 7498 B438 8917 B773 2972 7759 37D8
  • Expiration date: 10/7/21
  • Email: [email protected]
Make sure to not disclose details in the subject, as it will not be encrypted!

Responsible Disclosure policy

The Agora Voting Security Team asks that you comply with the following guidelines when researching and reporting security vulnerabilities:

  • Only test for vulnerabilities on your own install of Agora Voting
  • Never try to compromise a production ongoing election
  • Confirm that the Vulnerability applies to the version installed in production
  • hare vulnerabilities in detail and only with the security team, with an encrypted email
  • Allow reasonable time for a response from the security team
  • Do not publish information related to the vulnerability until Agora Voting has made an announcement to the community

security vulnerabilities in 3rd party applications or libraries used by Agora Voting should also be reported to the security team. The security team is not responsible for the security of these apps, but will attempt to contact the 3rd party app maintainer and then take proper actions.