Scribd
Upload
114 views

Declaration of J. Alex Halderman

An exhibit filed in the Georgia case of Donna Curling et al v. Brad Raffensberger et al by J. Alex Halderman advocating that CISA receive a fully unredacted report by the same. Includes emails to/from Halderman and CISA Director Geoff Hale. Exhibits filed 9/21/21.

Uploaded by

GingerInk007
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
114 views

Declaration of J. Alex Halderman

An exhibit filed in the Georgia case of Donna Curling et al v. Brad Raffensberger et al by J. Alex Halderman advocating that CISA receive a fully unredacted report by the same. Includes emails to/from Halderman and CISA Director Geoff Hale. Exhibits filed 9/21/21.

Uploaded by

GingerInk007
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 1 of 11

EXHIBIT A
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 2 of 11
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 3 of 11
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 4 of 11
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 5 of 11
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 6 of 11
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 7 of 11
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 8 of 11
Case 1:17-cv-02989-AT Document 1177-1 Filed 09/21/21 Page 9 of 11

EXHIBIT 1
9/2/2021 Case 1:17-cv-02989-AT Document
Gmail1177-1 Filed
- Vulnerability 09/21/21 Page 10 of 11
Disclosure

J. Alex Halderman <[email protected]>

Vulnerability Disclosure

Hale, Geoffrey <[email protected]> Thu, Aug 19, 2021 at 12:15 PM


To: "J. Alex Halderman" <[email protected]>
Cc: Andrew Springall <[email protected]>

Prof. Halderman,

Thank you for your email.  Yes, CISA would be willing to receive the report regarding possible vulnerabilities in election
infrastructure for inclusion in CISA’s Coordinated Vulnerability Disclosure (CVD) process and would carry out any
further
coordinated disclosures activities as appropriate.  As we share on our public website (https://www.cisa.gov/coordinated-
vulnerability-disclosure-process), CISA’s CVD program
coordinates the remediation and public disclosure of newly
identified cybersecurity vulnerabilities in products and services with the affected vendor(s).  Note that part of our process
may also involve validating any alleged vulnerabilities, planned mitigations,
remediations, or patches with the security
researcher who discovered the alleged vulnerability, so we would appreciate if you could continue to be available for
consultation during the CVD process as well.

As shared on our website, please submit any vulnerability reports for CVD coordination using the form here:
https://www.kb.cert.org/vuls/report/  

Best,

Geoff

From: J. Alex Halderman <[email protected]>

Sent: Wednesday, August 18, 2021 4:37 PM

To: Hale, Geoffrey <[email protected]>

Cc: Andrew Springall <[email protected]>

Subject: Vulnerability Disclosure

CAUTION:
This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize
and/or trust the sender. Contact your component SOC with questions or concerns.

Dear Mr. Hale,

We are writing to you in your capacity as Director of the Election Security Initiative at the federal Cybersecurity and
Infrastructure Security Agency (CISA).

We understand that the Election Security Initiative at CISA works to ensure the physical security and cybersecurity of the
systems and assets that support the Nation’s elections, including through detection and prevention, information sharing
and awareness, and incident response.
https://mail.google.com/mail/u/0?ik=ae299b9abb&view=pt&search=all&permmsgid=msg-f%3A1708538952728724245&dsqt=1&simpl=msg-f%3A1708… 1/2
9/2/2021 Case 1:17-cv-02989-AT Document
Gmail1177-1 Filed
- Vulnerability 09/21/21 Page 11 of 11
Disclosure
 

As you may be aware from recent press reports, one of us (Halderman) is presently serving as an expert witness for the
plaintiffs in Curling v. Raffensperger (Civil action no. 1:17-CV-2989-AT, N.D. Ga.), a case that concerns the security
of
Georgia's election system. A year ago, the court granted plaintiffs access to an ICP ballot scanner and ICX ballot marking
device as used in Georgia in order to test their security. Following months of analysis, on July 1, Dr. Halderman submitted
an expert
report that describes several very serious vulnerabilities we found in the equipment, which, to our knowledge,
have not been previously documented or disclosed.

Given the nature of the vulnerabilities and the time that would be necessary to mitigate them before the 2022 midterm
elections, we believe it is critical for Dominion and affected jurisdictions (which include Georgia and parts of many
other
states) to begin taking responsive action soon. It is also vitally important to prevent information sufficient to exploit the
vulnerabilities from falling into the wrong hands, and to avoid fueling election-related misinformation if possible.

Currently, disclosure of the expert report to anyone other than outside litigation counsel for the parties is strictly prohibited
by the Court’s protective order and by recent directives from the judge. However, if permitted by the Court,
we would like
to share the report with CISA and ask your agency to carry out appropriate further disclosure of the information it contains
to Dominion and affected jurisdictions as you see fit, under CISA's coordinated vulnerability disclosure (CVD) program
(https://www.cisa.gov/coordinated-vulnerability-disclosure-process).

We understand that under this process, CISA will work with the vendor (Dominion) for mitigation development and the
issuance of patches or updates and to facilitate sufficient time for affected end users to obtain, test, and apply mitigation
strategies. We further understand that CISA strives to disclose "accurate, neutral, objective information focused on
technical remediation and mitigation" and to "correct misinformation where necessary".

Please confirm that CISA would be an appropriate agency to handle coordinated vulnerability disclosure for election
infrastructure under these circumstances, and that you would be willing to receive the report (subject to the Court's
permission)
and carry out further disclosures as you deem appropriate.

Sincerely,

J. Alex Halderman

Drew Springall

https://mail.google.com/mail/u/0?ik=ae299b9abb&view=pt&search=all&permmsgid=msg-f%3A1708538952728724245&dsqt=1&simpl=msg-f%3A1708… 2/2

You might also like