“(a) In general.—

“(1) ESTABLISHMENT.—The Commission, in consultation with the Secretary, shall establish an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems (VDP–E) (in this section referred to as the ‘program’) in order to test for and disclose cybersecurity vulnerabilities in election systems.

“(2) DURATION.—The program shall be conducted for a period of 5 years.

“(3) REQUIREMENTS.—In carrying out the program, the Commission, in consultation with the Secretary, shall—

“(A) establish a mechanism by which an election systems vendor may make their election system (including voting machines and source code) available to cybersecurity researchers participating in the program;

“(B) provide for the vetting of cybersecurity researchers prior to their participation in the program, including the conduct of background checks;

“(C) establish terms of participation that—

“(i) describe the scope of testing permitted under the program;

“(ii) require researchers to—

“(I) notify the vendor, the Commission, and the Secretary of any cybersecurity vulnerability they identify with respect to an election system; and

“(II) otherwise keep such vulnerability confidential for 180 days after such notification;

“(iii) require the good faith participation of all participants in the program; and

“(iv) require an election system vendor, after receiving notification of a critical or high vulnerability (as defined by the National Institute of Standards and Technology) in an election system of the vendor, to—

“(I) send a patch or propound some other fix or mitigation for such vulnerability to the appropriate State and local election officials, in consultation with the researcher who discovered it; and

“(II) notify the Commission and the Secretary that such patch has been sent to such officials;

“(D) in the case where a patch or fix to address a vulnerability disclosed under subparagraph (C)(ii)(I) is intended to be applied to a system certified by the Commission, provide—

“(i) for the expedited review of such patch or fix within 90 days after receipt by the Commission; and

“(ii) if such review is not completed by the last day of such 90 day period, that such patch or fix shall be deemed to be certified by the Commission; and

“(E) 180 days after the disclosure of a vulnerability under subparagraph (C)(ii)(I), notify the Director of the Cybersecurity and Infrastructure Security Agency of the vulnerability for inclusion in the database of Common Vulnerabilities and Exposures.

“(4) VOLUNTARY PARTICIPATION; SAFE HARBOR.—

“(A) VOLUNTARY PARTICIPATION.—Participation in the program shall be voluntary for election systems vendors and researchers.

“(B) SAFE HARBOR.—When conducting research under this program, such research and subsequent publication shall be considered to be:

“(i) Authorized in accordance with section 1030 of title 18, United States Code (commonly known as the ‘Computer Fraud and Abuse Act’), (and similar State laws), and the election system vendor will not initiate or support legal action against the researcher for accidental, good faith violations of the program.

“(ii) Exempt from the anti-circumvention rule of section 1201 of title 17, United States Code (commonly known as the ‘Digital Millennium Copyright Act’), and the election system vendor will not bring a claim against a researcher for circumvention of technology controls.

“(C) RULE OF CONSTRUCTION.—Nothing in this paragraph may be construed to limit or otherwise affect any exception to the general prohibition against the circumvention of technological measures under subparagraph (A) of section 1201(a)(1) of title 17, United States Code, including with respect to any use that is excepted from that general prohibition by the Librarian of Congress under subparagraphs (B) through (D) of such section 1201(a)(1).

“(5) EXEMPT FROM DISCLOSURE.—Cybersecurity vulnerabilities discovered under the program shall be exempt from section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act).

“(6) DEFINITIONS.—In this subsection:

“(A) CYBERSECURITY VULNERABILITY.—The term ‘cybersecurity vulnerability’ means, with respect to an election system, any security vulnerability that affects the election system.

“(B) ELECTION INFRASTRUCTURE.—The term ‘election infrastructure’ means—

“(i) storage facilities, polling places, and centralized vote tabulation locations used to support the administration of elections for public office; and

“(ii) related information and communications technology, including—

“(I) voter registration databases;

“(II) election management systems;

“(III) voting machines;

“(IV) electronic mail and other communications systems (including electronic mail and other systems of vendors who have entered into contracts with election agencies to support the administration of elections, manage the election process, and report and display election results); and

“(V) other systems used to manage the election process and to report and display election results on behalf of an election agency.

“(C) ELECTION SYSTEM.—The term ‘election system’ means any information system that is part of an election infrastructure, including any related information and communications technology described in subparagraph (B)(ii).

“(D) ELECTION SYSTEM VENDOR.—The term ‘election system vendor’ means any person providing, supporting, or maintaining an election system on behalf of a State or local election official.

“(E) INFORMATION SYSTEM.—The term ‘information system’ has the meaning given the term in section 3502 of title 44, United States Code.

“(F) SECRETARY.—The term ‘Secretary’ means the Secretary of Homeland Security.

“(G) SECURITY VULNERABILITY.—The term ‘security vulnerability’ has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).”.