US HB6315

Requires the Election Assistance Commission to incorporate penetration testing into the testing, certification, decertification, and recertification of voting system hardware and software within 180 days of enactment, with NIST recommending accredited entities to conduct the testing.

Establishes a 5-year Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program (VDP-E) allowing cybersecurity researchers to test election systems, including voting machines and source code, for security vulnerabilities.

Requires researchers to keep discovered vulnerabilities confidential for 180 days after notifying vendors, the Commission, and the Secretary of Homeland Security, with critical vulnerabilities requiring vendors to send patches to state and local election officials.

Provides legal safe harbor for participating researchers under the Computer Fraud and Abuse Act and Digital Millennium Copyright Act, exempting good-faith security research from prosecution and circumvention claims.

Mandates expedited 90-day review of security patches for certified systems, with automatic certification if review is not completed, and requires vulnerabilities to be reported to CISA's Common Vulnerabilities and Exposures database after 180 days.