HackerOne, a company that pairs ethical hackers with organizations to fix software flaws, has kicked mobile voting vendor Voatz off its platform, citing the vendor’s hostile interactions with security researchers.
It’s the first time in its eight-year existence that HackerOne, which works with companies from AT&T to Uber, has expelled an organization from its bug-bounty-hosting platform, a HackerOne spokesperson said. The decision comes after Voatz assailed the motives of MIT researchers who found flaws in the company’s voting app.
“After evaluating Voatz’s pattern of interactions with the research community, we decided to terminate the program on the HackerOne platform,” a HackerOne spokesperson told CyberScoop. “We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing.”
It is the latest security-related setback for Voatz, which is trying to make inroads in a market dominated by traditional voting machine manufacturers. In the last two years, a smattering of U.S. counties have used the Voatz smartphone app in elections to try to improve turnout.
In a statement to CyberScoop, Voatz blamed the change in its relationship with HackerOne on a “small group of researchers who, along with a few other members of the community, believe Voatz reported a researcher to the FBI” — something Voatz says never happened.
“We are steadfast in our commitment to continuing our work with collaborative researchers to test the security of our platform,” Voatz said. “We will soon be launching a new public bug bounty program, available to any researcher.” The company said it has awarded nearly $6,000 in bug bounties through HackerOne and other avenues.
A sign of Voatz’s deteriorating relationship with HackerOne came last month when Voatz updated its policy on the HackerOne website. The company, according to the update flagged by security researchers, couldn’t “guarantee safe harbor,” or legal protections, for ethical hackers that access the company’s live election systems.
The move alarmed some researchers.
“Voatz’s bug bounty was more of a PR talking point than an attempt to truly engage with the security community,” said Kevin Skoglund, chief technologist at the nonprofit Citizens for Better Elections. “They ultimately limited both the scope and the safe harbor provisions, hampering researchers’ ability to find and report many of the app’s real flaws.”
Voatz insisted it had not downgraded any of the protections for researchers.
“We updated our safe harbor protections to be aligned with industry standards a common practice,” the company’s statement said. “We added more content and clarity to avoid any miscommunication and false flag. Our scope is in adherence to our internal testing cycles and accommodates an intense schedule of third-party audits for the rest of the year.”
Tensions erupt over MIT report
Security experts have long warned that mobile voting is intolerably risky because of its potential to be remotely compromised by hackers. But touting the use of blockchain technology, biometric identification, and a matching paper record for verification, companies like Voatz have insisted mobile voting can be done securely.
In its bid to shake up the voting vendor market, Voatz has vigorously defended its technology while sometimes criticizing those who question it.
After MIT researchers last month reported vulnerabilities in the Voatz app they said could be exploited to “alter, stop, or expose a user’s vote,” Voatz executives rejected the findings as flawed. They accused the researchers of acting in “bad faith” and being part of “a systematic effort to dismantle any online voting pilots.” Had the MIT researchers gone through the now defunct HackerOne bug bounty program, Voatz said, they could have tested the updated version of the app.
But an independent audit of the app, commissioned by Voatz and performed by security firm Trail of Bits, largely confirmed the MIT researchers’ findings and said they had engaged in sound security practices.
Jack Cable, a white-hat hacker and Stanford University student, said he submitted a vulnerability he found in Voatz’s app through the HackerOne platform. Voatz told him they didn’t consider it a critical issue, he said, but it later ended up being flagged as such in the Trail of Bits report.
Voatz told CyberScoop it didn’t consider the vulnerability critical because the technology in question — non-anonymous ballots — is “not used in any active governmental elections we conduct.”
After the MIT report, West Virginia backed away from plans to let people with disabilities vote using Voatz’s smartphone app in the state’s presidential primary, NBC News reported.
While outside researchers continue to scrutinize its security, Voatz has been granting more access to independent testers to its code. The company says the Department of Homeland Security’s cybersecurity division is currently vetting its app.
With the novel coronavirus disrupting primary voting, some election security advocates are urging states to enable more people to vote by mail. For its part, Voatz sees an opportunity to promote its remote voting capabilities.
But security researchers like Cable firmly oppose that.
“The fact that there is a crisis should not be used as a reason to deploy untested and insecure technology,” Cable told CyberScoop. “Rather, now more than ever we need to have faith in our election systems, which in Voatz’s case, is not possible due to their lack of transparency.”