HackerOne divorces itself from Voatz following months of disputes with researchers
For the first time since HackerOne – a bug-bounty-hosting platform which employs “ethical hackers” to find and fix exploitable vulnerabilities in businesses and organizations’ security perimeters – was launched, it recently summarily sacked a vendor from its platform, explaining it believed biometric mobile voting app Voatz’s attitude was a bit too aggressive, even “hostile,” in its dealings with security investigators.
Voatz’s problems though have been a smoldering controversy for some time now, as Biometric Update has reported.
“After evaluating Voatz’s pattern of interactions with the research community, we decided to terminate the program on the HackerOne platform,” a HackerOne spokesperson told CyberScoop, noting that “we [only] partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing.”
Voatz blamed HackerOne’s decision on a “small group of researchers who, along with a few other members of the community, believe Voatz reported a researcher to the FBI,” which Voatz has denied.
“We are steadfast in our commitment to continuing our work with collaborative researchers to test the security of our platform,” Voatz said. “We will soon be launching a new public bug bounty program, available to any researcher.” The company has offered a $6,000 reward for finding and fixing any bugs discovered through HackerOne and other means.
Just a few weeks ago, as Biometric Update reported, Trail of Bits performed the first-ever “white-box” security assessment of the Voatz platform, with access to the Voatz Core Server and backend software, and assessed that it “confirmed the issues flagged in previous reports by MIT and others, discovered more and made recommendations to fix issues and prevent bugs from compromising voting security.”
In its report, Voatz Security Assessment Volume I of II: Technical Findings, prepared for Tusk Philanthropies and Voatz, Trail of Bits stated, “Our security review resulted in 79 findings. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.”
In August, though, Biometric Update reported that a third-party audit of voting using the biometric Voatz app for elections in Denver had been performed by the National Cybersecurity Center and Denver Election Divisions, and revealed that votes cast via Voatz’s blockchain were recorded and tabulated accurately, according to Tusk Philanthropies.
Stanford University ethical hacker Jack Cable reported having flagged a vulnerability he said he found in Voatz’s app through HackerOne’s platform, but that Voatz’s response was that it was not consider a serious issue. Trail of Bits, on the other hand, did find the weakness a valid security matter in its report.
Voatz told CyberScoop exposure was not critical because it is not “used in any active governmental elections we conduct.”
The Voatz platform allows voters to cast ballots from any geographic location on supported mobile devices, but its mobile voting platform has been “under increasing public scrutiny for security vulnerabilities that could potentially invalidate an election,” Trail of Bits said, adding that “the issues are serious enough to attract inquiries from the Department of Homeland Security [DHS] and Congress. However, there has been no comprehensive security report to provide details of the Voatz vulnerabilities and recommendations for fixing them — until now.”
According to Voatz, DHS’s cybersecurity division is continuing to vet its app. DHS has been mum on its findings so far.
Biometric Update previously reported that widespread controversy over the security of the Boston-based Voatz’s blockchain voting app, the first internet-based voting app that’s been used in U.S. federal elections, especially for military members abroad and absentee voters, had been called into question following research by a team of MIT engineers in their paper, A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections, in which they alleged Voatz’s Blockchain voting app has “vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user’s secret ballot,” and, “that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality.”
HackerOne said in statements that its judgment was based on Voatz assailing the motives of MIT researchers who found flaws in the company’s voting app.
But Voatz’s rapidly worsening relationship with HackerOne and its efforts to prop up its credibility went from simmer to full boil when Voatz updated its policy on HackerOne’s website. Based on that update, HackerOne pointed out it could no longer “guarantee safe harbor” for anyone who accessed Voatz’s live election systems.
“Voatz’s bug bounty was more of a PR talking point than an attempt to truly engage with the security community,” said Kevin Skoglund, chief technologist at the nonprofit Citizens for Better Elections. “They ultimately limited both the scope and the safe harbor provisions, hampering researchers’ ability to find and report many of the app’s real flaws.”
In its Voatz Security Issue Disclosure Policy, the firm stated, “The security of our election infrastructure is critical to the integrity of our democracy. Therefore, we value the input of security researchers acting in good faith to help us maintain a high standard for the security of our systems, which in turn gives all voters confidence in our electoral process. This includes encouraging responsible research and disclosure of issues. This policy sets forth our definition of good faith in the context of finding and reporting issues, as well as what you can expect from Voatz in return.”
“We updated our safe harbor protections to be aligned with industry standards a common practice,” Voatz continued. “We added more content and clarity to avoid any miscommunication and false flag. Our scope is in adherence to our internal testing cycles and accommodates an intense schedule of third-party audits for the rest of the year.”
After MIT researchers last month reported vulnerabilities in the Voatz app they said could be exploited to “alter, stop, or expose a user’s vote,” Voatz executives rejected the findings as flawed. They accused the researchers of acting in “bad faith” and being part of “a systematic effort to dismantle any online voting pilots.” Had the MIT researchers gone through the now defunct HackerOne bug bounty program, Voatz said, they could have tested the updated version of the app.
In its announcement on HackerOne, Voatz said, “When working with us according to this policy, you can expect us to:”
• Always hold the integrity of the democratic process as critical to our mission.
• Extend Safe Harbor for your issue / vulnerability research that is related to this policy.
• Work with you to understand and validate your report, including a timely initial response to the submission.
• Work to remediate discovered issues / vulnerabilities within our budgetary and operational constraints.
• Recognize your contribution to improving our security, after remediation and at a time of our choosing if you are the first to report a unique issue / vulnerability, and if your report triggers a code or configuration change.
The company added, “With your permission, we will disclose unfixed issues that you find with other security researchers to assist in their testing to avoid unnecessary duplication of effort.”