Skip to content
Chimera readability score 76 out of 100, Expert reading level.

Vulnerabilities in voting systems are real and worth fixing. At the same time, the manner in which they are used to fearmonger does not reflect the actual security of elections.
Security researchers do find real weaknesses embedded in the code and operations of U.S. voting systems, just like they do with power grids, banks, and telecommunications, all of which share the same “critical infrastructure” designation as elections. Finding a flaw and fixing it is a sign of a mature system, not a sign it’s broken.
But claiming that vulnerabilities in voting systems exist is different from claiming that vulnerabilities in voting systems have been exploited, and even further distinct from claiming that vulnerabilities in voting systems have been exploited during live election operations in a manner to have rigged past elections, flipped votes, and determined outcomes. Each one of those concepts relies on a distinct body of evidence to be proven true. Public discourse that intentionally conflates the evidence for one to equate the outcomes of another is deceptive and can be disproven. The evidentiary record does not support claims that voting system vulnerabilities have been exploited to rig recent elections such as the 2020 presidential election in the United States.
How do we learn about vulnerabilities in voting systems?
Vulnerabilities in voting systems are tested and disclosed by expert security researchers. Testing voting systems for vulnerabilities has been happening for decades. Proactive testing and disclosure are standard practice and take place in multiple venues. For a long time, the relationship between researchers, vendors, and election officials was contentious; findings were treated as accusations, and disclosure felt adversarial. Over time, that friction has become more productive, as security researchers developed better understanding of election safeguards, and the election community built more mature programs for receiving, disclosing, and fixing the vulnerabilities researchers found.
Security researchers often disclose vulnerabilities through vulnerability reports, which document a weakness in a system. The report typically covers what was tested, what weaknesses were found, and what an attacker could do with them under the right circumstances. When the security researcher is independent from the organization or vendor, the standard practice is to share the findings privately first, giving the vendor or organization time to patch and mitigate before the report goes public.
What happens when vulnerabilities in voting systems are identified?
Following identification of vulnerabilities in a voting system, responsible disclosure and response are the next steps, and have a few important characteristics: independence, technical rigor, and orientation toward remediation rather than political interference. California’s 2007 Top-to-Bottom Review — a comprehensive security assessment of all voting systems then certified for use in the state — is a good model. Teams of computer scientists from the University of California tested machines made by Diebold Election Systems, Sequoia Voting Systems, and Hart InterCivic, systems used at the time by 9 million of the state’s registered voters. The review found that all three systems could be compromised by an attacker with physical access: testers bypassed tamper-resistant seals, accessed memory cards, and demonstrated the ability to install malicious code. Secretary Bowen’s response was targeted and proportionate: decertification of the equipment and imposition of dramatically strengthened security requirements before any system could be returned to use. The review is a model of what responsible security assessment looks like.
Processes for disclosure are becoming more collaborative, marking a significant shift away from the earlier adversarial dynamic between the security research and elections communities. In September 2023, the first Election Security Research Forum brought together cybersecurity researchers, voting technology providers, and election officials to formalize coordinated vulnerability disclosure processes for election technology. Researchers tested not-yet-deployed equipment from ES&S, Hart InterCivic, and Unisyn Voting Solutions under agreed-upon disclosure protocols.
As for response, proportionality is key, as not all vulnerabilities can be easily exploited. This was the case with a 2006 analysis by Princeton University researchers on the security of the Diebold AccuVote-TS Voting Machine. They found that an attacker with physical access could install malicious software, and that malicious software could spread between machines during normal election activity, but the attack relied on conditions that would not hold in a real election. It required prolonged, undetected physical access to machines before and during voting (which every state now restricts through tightly controlled chain-of-custody procedures governing who can handle equipment, when, and under what supervision). It also assumed no paper trail and no independent auditing to catch the manipulation after the fact. Even in jurisdictions that do not use machines producing a paper record (less than 4% of registered voters live in these jurisdictions), the physical access the attack depends on is not feasible under the custody controls that govern election equipment today.
Even for technical weaknesses which are infeasible to exploit undetected, there is value in understanding, assessing, and mitigating those vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has supported the testing and disclosure of vulnerabilities on voting systems with programs like the Critical Product Evaluation, which was run out of Idaho National Laboratories. This open-ended testing of voting systems worked collaboratively with the vendor to advance the security posture of new systems, prior to submitting for voting system certification with the U.S. Election Assistance Commission.
Additionally, since 2017, the Voting Village at prominent hacker conference DEF CON has brought security researchers together to assess voting equipment in a structured environment conducive to research, and produce an annual report cataloguing their discovered vulnerabilities. While that research does not always reflect the real-world safeguards of an operational election, there is value in addressing the technical weaknesses identified for any systems still in use. In this instance too, researchers are only finding and documenting weaknesses, refraining from making unsupported claims of weaponization in a live election.
Voting system vulnerability disclosure has also become more focused on featuring not only findings, but what those findings mean in practice. As a 2022 formal advisory coordinated by CISA demonstrates. The advisory — based on assessment by University of Michigan’s J. Alex Halderman and Auburn University’s Drew Springall of the Dominion Voting Systems Democracy Suite ImageCast X — identified multiple vulnerabilities that could be exploited under specified conditions to access significant control over the voting system’s operations. CISA’s accompanying statement was unambiguous and effecitve: “CISA has no evidence that these vulnerabilities have been exploited in any elections.” Dominion confirmed that the vulnerabilities had been addressed in subsequent software versions.
Does identification of vulnerabilities validate claims that past elections were stolen?
No, finding a vulnerability in voting software says nothing about what happened in any particular election.
A vulnerability assessment describes a weakness and what an attack could look like; it does not document an attack that occurred. As mentioned earlier, CISA’s 2022 advisory on Dominion systems, one of the most prominent public assessments of voting machine vulnerabilities to be released, was unambiguous: “CISA has no evidence that these vulnerabilities have been exploited in any elections.” Demonstrating the existence of a flaw is one thing; what someone did with it is a separate question. To that question, no credible evidence has been produced to validate claims that past elections were stolen or that votes or vote totals were altered in any way.
This reality has not prevented baseless claims of election fraud. After the 2020 election, Trump and allied plaintiffs filed more than 60 lawsuits across multiple states challenging the results. Every significant challenge failed. Courts found plaintiffs unable to produce “credible and relevant evidence” of manipulation.
A report confirming that vulnerabilities exist in voting machines does not disturb any of those findings. Overturning them would require showing which specific machines were compromised, or which specific tallies were altered. Security research has not established that. Neither has any court, audit, or law enforcement investigation.
How can elections run on vulnerable systems be trusted?
Election administration includes controls designed to catch exactly the kind of manipulation a software compromise would attempt.
Security researchers and election integrity advocates across the political spectrum have pressed for paper ballots: not because they prevent hacking, but because they ensure it cannot go undetected. A voter-verified paper ballot, a physical record of voter intent that exists independently of any software, is a detective control. If software is manipulated to change a recorded vote, the paper ballot remains unaltered and that discrepancy is detectable. As cryptographer and MIT professor Ron Rivest formalized in a 2008 paper, a voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome. According to Verified Voting, greater than 95 percent of registered voters live in jurisdictions with a verifiable paper trail. That means that, in the overwhelming majority of American elections, any manipulation of the election through voting systems is detectable.
Risk-limiting audits, which have been recommended by the Senate Intelligence Committee and the National Academies of Sciences, provide statistical confidence that electronically reported outcomes match physical ballots. An initial random sample of ballots is hand-counted and compared against reported results; if the sample supports the outcome at the pre-specified confidence level, the audit concludes. If the software-reported outcome is wrong, the audit is designed to catch it. Colorado became the first state to implement risk-limiting audits statewide in 2017; dozens of states have since adopted some form of post-election audit requirement.
Risk-limiting audits are not the only credible method of post-election audit. Other approaches, such as traditional audits, can also provide meaningful assurance as long as they are conducted properly. This is an important qualifier, because the same trusted role audits play can be weaponized as well. Since 2020, a number of sham reviews have been conducted (such as the Cyberninjas “audit” of the 2020 election in Arizona) that borrow the look and language of a real post-election audit while being designed to undermine legitimate results, mislead the public, and erode confidence in a well-run election. These reviews generate disinformation rather than assurance.
Before certification, election officials also reconcile the number of ballots issued against the number cast and counted. An attacker who altered electronic tallies would still need to explain why the paper records and ballot counts do not match.
Safeguards including audits and paper audit trails do what they are meant to do: validate the outcome and increase public confidence in the accuracy of election outcomes. Research has also found that the confidence an audit generates depends on the credibility of the audit (things like who conducts it and how its results are announced), which further helps to cut against the sham-review problem.
How are voting system vulnerabilities weaponized using the “complexity exploit”?
Vulnerability reports on voting systems are technical documents and therefore their content is typically complex. One tactic to exploit this complexity is to selectively highlight vulnerabilities, map them to existing suspicions and narratives, and present them as proof of a changed election outcome. Rather than relying on evidence that an exploit was used or that it resulted in flipping votes or impacting outcomes, this tactic relies on the complexity of presented evidence to be interpreted as credible. In reality, the conclusion that outcomes of recent U.S. elections have been affected must be proven through independent evidence that, as yet, has not been presented.
Technical complexity may be used to provide the appearance of legitimacy, credibility, and expertise, but it alone is not the same as being credible. Technical complexity can be a tactic to obfuscate and deter questions, and here technically expert security researchers help discern real claims from masked nonsense.
Mike Lindell’s 2021 “cyber symposium” was an example of this “complexity exploit.” Lindell promoted what he described as definitive proof, allegedly derived from voting machine network traffic, that Chinese actors had manipulated the 2020 election through voting systems. When cybersecurity experts analyzed the data, they found it was not voting machine network traffic at all: it was an encoded version of Pennsylvania’s publicly available voter registration file. Election security researcher Harri Hursti described the presented material as “a big fat nothing.” Cybersecurity expert Robert Zeidman proved the data was not what Lindell claimed. The data had no evidentiary value; its point was to pass off technical complexity as proof.
Using technical complexity to suggest that vulnerabilities have been weaponized takes advantage of a gap in public understanding of election technology. The election process is incredibly transparent, and still, the evidence to support claims that election vulnerabilities have been operationally exploited has not been presented.
Isn’t dismissing vulnerability research also a problem?
The election community takes legitimate security research seriously, and the importance of security testing and vulnerability research to voting system security has been recognized, as illustrated by the adoption of the updated federal Voluntary Voting System Guidelines (VVSG 2.0). The VVSG 2.0 process for certifying voting systems explicitly requires penetration testing, a form of security testing which attempts to exploit vulnerabilities and processes to identify security gaps.
In the years following the 2017 designation of election infrastructure as critical infrastructure, the elections community and the security research community built more productive relationships. The Election Security Research Forum and coordinated disclosure processes between researchers and vendors described above all reflect maturation in how election technology vulnerabilities are identified and addressed.
Are states or the federal government responsible for voting system security?
State and local governments run elections. Federal agencies have a mission to support the security of U.S. elections.
Compared to other critical infrastructure, voting systems occupy an unusual regulatory position. These systems are subject to both diverse state-level certification requirements and a federal framework (VVSG) that is advisory rather than mandatory, unlike power grids or financial systems where federal agencies have direct regulatory authority and can mandate security standards. However, some states have implemented laws that require testing and certification to federal standards, thereby making compliance with voluntary federal standards obligatory in those states.
How does the way we govern voting systems shape how vulnerabilities are fixed?
The combination of diverse state requirements and voluntary federal guidelines creates a challenge when vulnerabilities are discovered. Whereas a commercial software vendor discovering a flaw in a widely deployed product can push a patch to millions of devices in days, a voting system vendor discovering the same flaw must navigate state and federal certification processes before the fix is deployed to election jurisdictions. This means that deploying certified patches can be slow.
To address this problem, the U.S. Election Assistance Commission (EAC) has taken steps to expedite security patch approval, and several states have adopted their own interim security requirements. Streamlining patch approval processes, adequately resourcing organizations to build and test to standards, and a certification framework that can respond faster to security updates would also help. While the gap between vulnerability discovery and remediation remains wider than in many other technology sectors, the slowness of deploying certified patches is not evidence of past harms.

Facts Only

* Security researchers test voting systems for vulnerabilities.
* Vulnerabilities are disclosed through vulnerability reports.
* Responsible disclosure involves private sharing with vendors before public release.
* The California 2007 Top-to-Bottom Review tested Diebold, Sequoia, and Hart InterCivic systems.
* The 2006 analysis found an attacker could install malicious software on Diebold AccuVote-TS machines.
* A 2022 CISA advisory regarding Dominion Voting Systems identified vulnerabilities but stated there was no evidence these were exploited in any elections.
* Vulnerability assessment describes a weakness and potential attack scenario; it does not document an actual attack occurrence.
* Greater than 95 percent of registered voters live in jurisdictions with verifiable paper trails.
* Risk-limiting audits provide statistical confidence that electronic outcomes match physical ballots.

Executive Summary

Security researchers actively test U.S. voting systems for vulnerabilities, a practice that has evolved from an adversarial relationship to a more collaborative disclosure process involving vendors and election officials. Vulnerabilities are documented in reports detailing potential weaknesses. Responsible disclosure involves sharing findings privately with vendors first, allowing time for remediation before public release. Post-identification, responses emphasize independence, technical rigor, and remediation over political interference, exemplified by assessments like California's 2007 Top-to-Bottom Review. Collaborative processes, such as the Election Security Research Forum, aim to formalize these disclosure protocols. While vulnerabilities exist, evidence has not been produced to validate claims that they have been exploited to rig recent elections. The existence of vulnerabilities does not automatically imply election outcomes were altered, and safeguards like voter-verified paper ballots and risk-limiting audits provide mechanisms for detection post-election.

Full Take

The tension between acknowledging technical weaknesses and avoiding the weaponization of that knowledge reveals a core conflict in governance: the speed of technological deployment versus the slowness of certification and remediation. The narrative surrounding election security shifts from an adversarial stance—where flaws are framed as proof of malfeasance—to a process-oriented view centered on verifiable controls, such as paper trails and audits. This shift is crucial because it redefines what constitutes evidence of fraud; it moves the burden from proving an exploit occurred to demonstrating that established, independently verifiable safeguards were bypassed or subverted. The "complexity exploit" pattern highlights how technical jargon can be leveraged not to prove a specific outcome, but to create an illusion of legitimacy where actual evidentiary gaps exist. The institutional challenge lies in managing the latency between vulnerability discovery and legally binding deployment of fixes across fragmented state and federal regulatory landscapes. What larger systemic assumptions about public trust and regulatory authority allow narratives alleging manipulation to gain traction when direct forensic evidence remains absent?

Sentinel — Human

Confidence

The text is a well-structured, evidence-based analysis that effectively separates the existence of vulnerabilities from claims of exploitation, building a reasoned argument through structured historical and technical context.

Signals Detected
low severity: Slight variation in sentence length and a more discursive flow than typical LLM output.
low severity: Maintains a consistent, argumentative thesis without becoming overly repetitive or vacuous.
low severity: Effective use of specific historical examples (CA review, Princeton analysis) and citing bodies like CISA and the EAC, suggesting research-based structure.
low severity: Specific, verifiable claims about CISA advisories regarding Dominion systems are contextualized by disclaiming exploitation evidence, which is a hallmark of careful reporting rather than pure fabrication.
Human Indicators
The integration of specific legal/regulatory structures (VVSG 2.0, EAC) with technical discussions indicates deep subject matter familiarity.
The nuanced handling of the 'complexity exploit' section demonstrates an ability to analyze rhetorical tactics alongside factual claims.
FAQ: Voting System Vulnerabilities and How They Can Be Weaponized — Arc Codex