pixel - Fotolia

Voatz disputes claims it was 'kicked off' HackerOne

HackerOne has cut ties with Voatz, but the mobile voting vendor disputed reports that it was kicked off the bug bounty platform following controversy with security researchers.

The trouble continues for mobile voting company Voatz.

HackerOne, which provides of a bug bounty platform to help enterprises manage vulnerability reporting, has cut ties with the e-voting vendor. HackerOne cited "Voatz's pattern of interactions with the research community" in a comment to CyberScoop, which first reported the split.

A HackerOne spokesperson provided a statement to SearchSecurity on that matter. "As a platform, we work tirelessly to foster that mutually beneficial relationship between security teams and the researcher community. While Voatz was able to surface and resolve vulnerabilities through their bug bounty program, we decided to discontinue our partnership. The program ultimately did not adhere to our partnership standards and was no longer productive for either party," the statement read.

Voatz came under fire in February when a research team from MIT contested the security of the vendor's voting app, revealing numerous vulnerabilities that could allow cybercriminals to not only compromise voters' private data, but also change or even prevent users' votes. The researchers' technical paper also disputed Voatz's claim that it uses blockchain technology on the mobile app to ensure the integrity of votes.

However, Voatz contested reports that HackerOne essentially dumped the vendor, characterizing the split as a mutual decision to temporarily suspend the partnership.

"We regret that our program with HackerOne arrived at a need to temporarily pause due to pressure from a small group of researchers who, along with a few other members of the community, believe Voatz reported a researcher to the FBI," said the Boston-based Voatz in a statement given to SearchSecurity. "This falsehood and misinformation has been a source of animosity toward Voatz and our partners, who face consistent attacks from these researchers."

According to Voatz vice president of product Hilary Braseth, the cutting of ties was mutually agreed upon, and potentially temporary.

"We had continued conversations with HackerOne and it was deemed mutually the right thing for both parties due to the animosity from these researchers to temporarily pause our engagement," she told SearchSecurity. "It became too taxing for them to put up with this and for us too. It made sense for us to find an alternative and so we are building our own public bounty program."

When asked to confirm Voatz's version of events, a HackerOne spokesperson said, "We're committed to respecting the privacy of all customers -- current and past -- so I can't go into too many specifics about the Voatz program at this time."

The "animosity from these researchers" refers to a 2018 incident where Voatz was accused of reporting a group of University of Michigan students to the FBI for attempting to hack a live production system of Voatz's app. The university said that the students were conducting dynamic analysis of the app. Because election infrastructure is classified as critical infrastructure and it's a federal offense to do any tampering with it, Braseth said that they were required by law and contract to report them to West Virginia, which was holding an election pilot program at the time. After that, "West Virginia made the decision to report this activity to the FBI," Braseth said.

"And so there was a false presumption that Voatz reported a researcher to the FBI, and a small group of researchers began to craft an, if I might say, antagonistic approach to Voatz, and since then have been pressuring any of our partners to try to get them to abandon or stop working with us. Anyone from folks piloting our technology to partners like HackerOne. And so we believe this to be a part of that aftermath," Braseth said.

Voatz's mobile voting platform has been used in a number of areas across the United States, including West Virginia for their 2018 midterm elections, as well as other states like Colorado and Utah. However, in the wake of the MIT research, West Virginia announced that it would cease using Voatz for its elections.

An independent audit by infosec consultancy TrailofBits reinforced MIT's findings and found additional security weaknesses. Braseth explained that this audit was done in partnership with Voatz, and while Voatz responded to each finding, TrailofBits did not include these responses in its final blog post.

Next Steps

HackerOne launches AWS certification paths, pen testing service

Dig Deeper on Risk management