For the first time in its history, bug bounty and vulnerability disclosure firm HackerOne has kicked a company off its platform.
Blockchain-based voting company Voatz has long touted its bug bounty program through HackerOne when asked about the security of its blockchain-enabled mobile voting app.
Founded in 2012, HackerOne connects businesses with pen testers and cybersecurity researchers. It has hosted over 1,800 customer programs, but the beleaguered Massachusetts-based company’s bug bounty is no longer one of them.
“As a platform, we work tirelessly to foster that mutually beneficial relationship between security teams and the researcher community,” HackerOne spokesperson Samantha Spielman told Cointelegraph. “We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing. Because the Voatz program did not adhere to either of those requirements, we terminated our partnership in March 2020.”
In a statement, a Voatz spokesperson attributed HackerOne’s decision to boot them off the platform to “pressure from a small group of researchers” who “believe Voatz reported a researcher to the FBI.” In fact, Voatz reported the student to the jurisdiction which then reported it to the FBI.
Voatz faced criticism after the student security researcher was referred to the FBI over what the company says was an intrusion attempt—even though that research appears to have been protected by the safe harbor statement in the company’s bug bounty program. After the FBI referral made headlines, Voatz retroactively updated its HackerOne bug bounty program terms to narrow the scope of its safe harbor policy, making it unclear whether it even provided full legal protection.
“Trust is paramount throughout the bug bounty model between security teams, hackers and the platform. Once trust is broken, it’s hard to rebuild. While Voatz was able to surface and resolve vulnerabilities through their bug bounty program, the program was no longer productive for either party,” said Spielman.
Independent security researcher and avid bug bounty hunter Jack Cable said that Voatz was slow to even confirm the two bug bounty reports he filed. In one instance, he found a vulnerability—Voatz storing private keys from Stack Overflow on its app—that Voatz said had no role in its election process. However, a security audit by Trail of Bits suggested it was in use in certain functionality and was listed as a high-severity bug.
“There are a lot of cases where they tried to downplay the severity of something or weren’t too clear about whether it was even a vulnerability. Overall, it was just not a very productive experience,” Cable said.
Cable also found his IP address blocked when testing the app, though he says it is unclear whether this was automated. “There were a couple times when I was testing and I was no longer able to even on their staging environment because my IP address was blocked,” he said.
MIT researchers who identified serious security flaws with Voatz found many vulnerabilities that would have been outside of the scope of the bug bounty program, had they gone through it. Instead, they went through CISA. “We wanted the research to speak for itself, and had legal concerns about Voatz’s unprofessional response to prior independent security research, as has been documented in multiple news outlets,” the researchers wrote in an FAQ.
Cable pointed to Voatz’s “general hostility to security research as a whole.” Voatz denied security vulnerabilities described in an MIT report, even after it was confirmed by Trail of Bits, the auditing firm it hired. “On one hand, they're saying, ‘come tell us about the vulnerabilities you find.’ But then when people actually find vulnerabilities, they deny that they even exist,” he said.
“They're clearly not receptive to security research. HackerOne has a responsibility to protect not only its customers, but also hackers on its platform as soon as the company starts crossing that line. I think HackerOne had to act, so I’m glad that they did in this case.”
Voatz said it plans to announce a comprehensive bug bounty program in the coming days.