Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
Security audits of Dominion Voting Systems for 2024
Executive summary
Independent and government testing in 2024 produced formal certifications and targeted audits of Dominion’s Democracy Suite and ImageCast products, including an EAC test report for D‑Suite 5.20 and a CISA advisory on ImageCast X vulnerabilities; Georgia’s statewide 2024 ballot‑image audit reported 100% agreement between QR‑code tabulation and human‑readable text across 5,297,262 ballot images [1] [2] [3]. Reporting and vendor posts show researchers (notably University of Michigan’s Halderman) identified software and data‑handling vulnerabilities that Dominion patched, while some jurisdictions delayed deploying fixes before the 2024 general election [4] [5].
1. What formal 2024 testing and certifications show — government approval and lab reports
The Election Assistance Commission’s test report for Dominion’s D‑Suite 5.20 documents a formal test campaign and configuration audits tied to federal certification processes, indicating the product underwent the kinds of functional and physical configuration audits required for EAC approval [1]. Dominion’s product pages and archived vendor statements also cite third‑party lab analysis (MITRE National Election Security Lab) that, in earlier reviews, reported “no evidence of compromise or fraud” in certain battleground deployments — a claim Dominion highlights in its public materials [5] [6].
2. Known vulnerabilities and advisories — what was found and the vendor’s mitigation
CISA published an advisory describing vulnerabilities affecting ImageCast X, noting issues around self‑attestation of hashes, potential privilege escalation after certain administrative actions, and recommended mitigations such as disabling specific features and validating cryptographic hashes as Dominion recommends [2]. Independent academic researchers documented ballot‑image and scanner‑data weaknesses — notably in work by a University of Michigan team led by Halderman — which prompted Dominion to develop software patches for several reported issues [4].
3. Real‑world audits in 2024 — Georgia’s statewide ballot‑image audit as a case study
Georgia’s Secretary of State commissioned a statewide ballot image audit for the 2024 general election that used OCR to read 5,297,262 ballot images; the office reported the audit found the QR‑code tabulation agreed with human‑readable text in every analyzed contest and called the result a confirmation that “the votes in Georgia were counted accurately” [3] [7]. Local reporting likewise summarized that the OCR audit found just 87 discrepancies overall between original counts and the audit’s independent read — and that the audit confirmed winners in all 1,955 contests examined [8].
4. Tension between theoretical vulnerabilities and operational controls
Academic demonstrations and lab findings emphasized theoretical or feasible attacks if machines or exported data were accessible to adversaries; however, proponents of Dominion systems and some certification reports stress that physical security, air‑gapping, and operational chain‑of‑custody reduce real‑world risk, and that many locales rely on paper ballots and post‑election audits as safeguards [9] [10] [5]. Georgia officials publicly described some risks as “theoretical” and chose not to install fixes before the 2024 presidential election, reflecting a tradeoff jurisdictions sometimes make between patching schedules and election timelines [4].
5. What the vendor and third parties say about auditability and transparency
Dominion emphasizes that its systems produce voter‑verifiable paper records and ballot‑level audit trails (AuditMark®) designed to allow full recounts and audits, and the company points to federal/state certification and previous audit results in defending system integrity [11] [10]. Independent outlets and researchers, however, argue for more accessible third‑party analysis and rapid patching cycles; some experts have also recommended sanitizing public exports of ballot images or implementing vendor‑recommended mitigations to avoid inadvertent data leaks [4] [2].
6. Remaining questions and limitations in available reporting
Available sources do not mention a comprehensive, single‑nationwide “2024 security audit” that uniformly covers every jurisdiction’s Dominion deployments; instead the record is a patchwork of federal test reports, vendor statements, state audits (e.g., Georgia), CISA advisories, and academic papers focused on specific vulnerabilities or deployments [1] [3] [2] [4]. Also, while Dominion and some labs report no evidence of systemic compromise in prior analyses, other reporting documents specific vulnerabilities and delayed patch adoption in some counties, leaving open practical risk variance across local practices [5] [4].
7. How to read these findings as an elections official or interested voter
Treat certification and statewide audits (like Georgia’s OCR ballot‑image audit) as evidence that tabulation and post‑election checks can validate results when combined with paper ballots and chain‑of‑custody controls [3] [10]. At the same time, follow CISA advisories and academic disclosures closely: apply vendor fixes and recommended mitigations before future elections when feasible, sanitize public exports as advised, and fund independent audits and transparency measures so local practices match the assumptions used in lab security models [2] [4].
Sources cited above: EAC D‑Suite test report [1]; CISA advisory on ImageCast X [2]; Dominion and archived vendor statements [9] [5] [10] [11]; University of Michigan researcher reporting and testing [4]; Georgia ballot image audit and reporting [3] [7] [8].