Voatz Bug Bounty Kicked Off of HackerOne Platform

Published at: March 31, 2020

For the first time in its history, bug bounty and vulnerability disclosure firm HackerOne has kicked a company off its platform.

Blockchain-based voting company Voatz has long touted its bug bounty program through HackerOne when asked about the security of its blockchain-enabled mobile voting app.

Founded in 2012, HackerOne connects businesses with pen testers and cybersecurity researchers. It has hosted over 1,800 customer programs, but the beleaguered Massachusetts-based company’s bug bounty is no longer one of them.

“As a platform, we work tirelessly to foster that mutually beneficial relationship between security teams and the researcher community,” HackerOne spokesperson Samantha Spielman told Cointelegraph. “We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing. Because the Voatz program did not adhere to either of those requirements, we terminated our partnership in March 2020.”

In a statement, a Voatz spokesperson attributed HackerOne’s decision to boot them off the platform to “pressure from a small group of researchers” who “believe Voatz reported a researcher to the FBI.” In fact, Voatz reported the student to the jurisdiction which then reported it to the FBI.

Voatz faced criticism after the student security researcher was referred to the FBI over what the company says was an intrusion attempt—even though that research appears to have been protected by the safe harbor statement in the company’s bug bounty program. After the FBI referral made headlines, Voatz retroactively updated its HackerOne bug bounty program terms to narrow the scope of its safe harbor policy, making it unclear whether it even provided full legal protection.

“Trust is paramount throughout the bug bounty model between security teams, hackers and the platform. Once trust is broken, it’s hard to rebuild. While Voatz was able to surface and resolve vulnerabilities through their bug bounty program, the program was no longer productive for either party,” said Spielman.

Independent security researcher and avid bug bounty hunter Jack Cable said that Voatz was slow to even confirm the two bug bounty reports he filed. In one instance, he found a vulnerability—Voatz storing private keys from Stack Overflow on its app—that Voatz said had no role in its election process. However, a security audit by Trail of Bits suggested it was in use in certain functionality and was listed as a high-severity bug.

“There are a lot of cases where they tried to downplay the severity of something or weren’t too clear about whether it was even a vulnerability. Overall, it was just not a very productive experience,” Cable said.

Cable also found his IP address blocked when testing the app, though he says it is unclear whether this was automated. “There were a couple times when I was testing and I was no longer able to even on their staging environment because my IP address was blocked,” he said.

MIT researchers who identified serious security flaws with Voatz found many vulnerabilities that would have been outside of the scope of the bug bounty program, had they gone through it. Instead, they went through CISA. “We wanted the research to speak for itself, and had legal concerns about Voatz’s unprofessional response to prior independent security research, as has been documented in multiple news outlets,” the researchers wrote in an FAQ. 

Cable pointed to Voatz’s “general hostility to security research as a whole.” Voatz denied security vulnerabilities described in an MIT report, even after it was confirmed by Trail of Bits, the auditing firm it hired. “On one hand, they're saying, ‘come tell us about the vulnerabilities you find.’ But then when people actually find vulnerabilities, they deny that they even exist,” he said.

“They're clearly not receptive to security research. HackerOne has a responsibility to protect not only its customers, but also hackers on its platform as soon as the company starts crossing that line. I think HackerOne had to act, so I’m glad that they did in this case.”

Voatz said it plans to announce a comprehensive bug bounty program in the coming days.

Tags
Technology
Blockchain
Voting
Related Posts
Voter disengagement is a big issue. This blockchain-backed app wants to change that
A new protocol says it is powering blockchain-backed digital democracy — creating voting platforms that are completely devoid of any external private or public influence. Civicpower has bold ambitions to become the world’s biggest blockchain-backed voting app, and a one-stop-shop where the public can have their say. Governments and organizations can use this platform to canvass opinion, and the infrastructure is also well-suited to performing referendums where the public are given two choices. Crucially, this protocol is open to all — and that means any citizen can create their very own ballot. High-profile influencers can also engage their community in …
Technology / June 25, 2021
Waves Enterprise partners with Ontology to fix blockchain e-voting
Waves Enterprise, a major technology company specializing in blockchain-based solutions for businesses and governments, has inked a new partner to streamline its e-voting service. According to a Dec. 16 announcement, Waves Enterprise has signed a memorandum of understanding with blockchain platform Ontology to integrate decentralized identification tools into the Waves Enterprise e-voting system. As part of the partnership, Waves Enterprise and Ontology aim to solve one of the biggest challenges of digital voting — user authentication and identification. The companies specifically plan to apply Ontology’s new decentralized identity solution known as ONT ID. Artem Kalikhov, chief product officer at Waves …
Technology / Dec. 16, 2020
BitFlyer Blockchain Reveals Voting App for Virtual Shareholders Meetings
The blockchain arm of Japan-based bitFlyer Holdings is debuting a new app for shareholder voting. According to an announcement by bitFlyer Blockchain, the new app — dubbed bVote — aims to allow Japanese corporations to conduct general shareholders meetings without requiring anyone to physically attend. Per bitFlyer, the app will be able to prevent vote forgery and manipulation and requires users to scan their My Number card (similar to Social Security Number in the United States) for identification. The firm will purportedly put its tech to the test at its own shareholder meeting on June 26. Using blockchain to prevent …
Technology / June 11, 2020
Blockchain Voting Systems Could Be the Future, but Current Flaws Persist
As shelter-in-place orders are extended throughout the United States due to the coronavirus pandemic, controversy around online voting systems has surfaced. The dangers of internet voting were recently publicly announced by the American Association for the Advancement of Science, or AAAS. On April 9, the AAAS Center for Scientific Evidence in Public Issues wrote an open letter to U.S. governors, secretaries of state and state election directors expressing great concern regarding the security of online voting systems. While the letter stated that “internet voting is not a secure solution for voting in the United States, nor will it be in …
Technology / April 16, 2020
Block.one Will Vote With Its EOS in Clear Break From Previous Cautiousness
Block.one, the company that developed the backend of the EOS network, is now taking a much more active role in it. Its stake of EOS tokens, previously left unused, will be used to vote for block producers (BP), according to an April 8 announcement. The EOS network runs on EOSIO, a blockchain technology stack that Block.one also sells as an enterprise solution. The public network uses a form of distributed Proof-of-Stake consensus (dPoS), where blocks are created by entities voted by all stakeholders. Block.one also holds a stake of EOS tokens, calling itself a “silent minority token holder.” The EOS …
Technology / April 9, 2020