“Candidates are sharing, selling and trading voters’ sensitive data with third parties,” according to the Online Trust Alliance, a non-profit that analyzed 23 presidential candidates’ websites and graded them on their privacy and consumer protection practices.

“We believe such sites are breaches waiting to happen,” the report said. “They are prime targets for people motivated by the commercial value of the data or politics and hacktivism.”

Only six candidates’ websites passed the OTA’s security test, including those of Jeb Bush, Chris Christie, Rick Santorum and Scott Walker (plus two Democrats—see the full list below).

But the remaining 17 presidential campaign websites—including those of Donald Trump, Hillary Clinton, Carly Fiorina and others—all failed the audit. They were dinged for lacking firewalls; using email systems vulnerable to “being spoofed or forged” or strange email addresses that could “confuse recipients” or “make them suspicious;” and even reserving the right in their privacy policies to “liberally share or sell” their donors’ addresses, employers and even passport numbers.

OTA wasn’t able to find the privacy policy on four campaign websites—which could mean those campaigns are actually breaking the law, the study’s authors wrote.

On the other hand, candidates who passed all received “excellent marks,” the report said. “There was no middle ground.”

Below, how all 23 candidates stacked up on website security: