Election App Voatz Just Got Kicked Out of a Major Bug Bounty Program


Bug bounty platform HackerOne severed ties with Medici Ventures-backed Voatz, the blockchain-based mobile voting app for breach of partnership standards. 

The removal cuts off Voatz’ access to HackerOne’s network of “ethical hackers” who trade their expertise in finding code faults for cash. HackerOne partners with corporations interested in shoring up potential security vulnerabilities. Across 1,800 total relationships and eight years, though, it’s never before kicked a partner out, said representative Samantha Spielman.

Spielman said Voatz’ breach of “partnership standards” made the relationship unviable, despite the program’s past bug-hunting successes. 

“As a platform, we work tirelessly to foster that mutually beneficial relationship between security teams and the researcher community,” she said. Spielman declined to elaborate on Voatz’ standards breach.

Voatz told CoinDesk in a statement that it regrets the relationship’s “temporary pause.” It said that HackerOne had caved to a “small group of researchers who, along with a few other members of the community, believe Voatz reported a researcher to the FBI.”

“This falsehood and misinformation has been a source of animosity toward Voatz and our partners, who face consistent attacks from these researchers,” the statement said.

West Virginia Secretary of State Mac Warner said in October 2019 that the FBI was investigating an attempted breach of the app during a pilot program in 2018. West Virginia has used the app in multiple pilots, and Warner maintains that no votes have been altered to date. 

Voatz came under the spotlight in mid-February when a group of MIT researchers released a scathing write-up highlighting myriad apparent security flaws in the app. They alleged Voatz was essentially bunk, criticized its transparency and called up election officials considering the app to maybe think twice. 

Voatz responded with its own torrent of criticism. In a sarcasm-laced February 13 press release, it called the researchers’ report unfair and their “bad faith recommendations” irreparably flawed.

However, earlier this month Trail of Bits published a report supporting the MIT researchers’ claims. Voatz had commissioned Trail of Bits to analyze its platform.

Voatz began working with HackerOne in August 2018 and has paid out over $6,000 to researchers through “HackerOne and other avenues” since. It plans to announce its own bounty program “in the coming days.”

West Virginia has dropped its partnership with the company.

Disclosure Read More

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *