Security

Security policy & disclosure

Last updated2026-04-19.

Election technology is uniquely hostile to opacity. We publish our security posture, not because we are perfect, but because the alternative is taking the word of a vendor who refuses to show their work.

Defence in depth

  • AES-256 at rest. TLS 1.3 in transit. No plaintext anywhere.
  • Role-based access with least privilege; audit trail attributable to identity for every state change.
  • Network segmentation between public, application, and data planes.
  • Secrets managed via HashiCorp Vault / AWS Secrets Manager (deployment-specific).
  • Dependency and container scans run in CI; high-severity findings block release.

External assurance

  • Annual independent penetration test — scope includes ERMS, VESR, and Watch the Votes.
  • Third-party cryptography review before every major release.
  • SOC 2 Type II in progress; ISO 27001 on the 2026 roadmap.

Report a vulnerability

We treat every report as a gift. Email security@ielect.ng with a description, a reproducer, and the product + version affected.

  • Acknowledgement within 24 hours.
  • Triage assessment within 72 hours.
  • Coordinated disclosure; credit by default unless you prefer otherwise.

Safe harbour

Research conducted in good faith and within the scope of this policy will not be pursued legally by iElect. We ask only that you avoid degrading our services, do not access data that is not yours, and give us a reasonable window to fix issues before public disclosure.

Machine-readable disclosure contact: /.well-known/security.txt.