The problems carries on for cellular voting enterprise Voatz.
HackerOne, which delivers of a bug bounty platform to support enterprises regulate vulnerability reporting, has reduce ties with the e-voting seller. HackerOne cited “Voatz’s pattern of interactions with the investigation community” in a comment to CyberScoop, which to start with documented the break up.
A HackerOne spokesperson offered a assertion to SearchSecurity on that matter. “As a platform, we function tirelessly to foster that mutually advantageous romantic relationship among protection groups and the researcher community. When Voatz was ready to surface area and take care of vulnerabilities by way of their bug bounty software, we made a decision to discontinue our partnership. The software finally did not adhere to our partnership requirements and was no lengthier successful for either party,” the assertion browse.
Voatz arrived underneath fireplace in February when a investigation crew from MIT contested the protection of the vendor’s voting application, revealing quite a few vulnerabilities that could let cybercriminals to not only compromise voters’ personal facts, but also transform or even protect against users’ votes. The researchers’ technological paper also disputed Voatz’s claim that it makes use of blockchain engineering on the cellular application to be certain the integrity of votes.
Even so, Voatz contested experiences that HackerOne essentially dumped the seller, characterizing the break up as a mutual determination to quickly suspend the partnership.
“We regret that our software with HackerOne arrived at a require to quickly pause due to pressure from a tiny group of researchers who, along with a couple of other customers of the community, consider Voatz documented a researcher to the FBI,” mentioned the Boston-centered Voatz in a assertion offered to SearchSecurity. “This falsehood and misinformation has been a supply of animosity towards Voatz and our associates, who encounter regular assaults from these researchers.”
According to Voatz vice president of item Hilary Braseth, the cutting of ties was mutually agreed upon, and perhaps temporary.
“We had ongoing conversations with HackerOne and it was considered mutually the ideal issue for both get-togethers due to the animosity from these researchers to quickly pause our engagement,” she told SearchSecurity. “It became much too taxing for them to place up with this and for us much too. It made perception for us to come across an substitute and so we are building our personal community bounty software.”
When questioned to validate Voatz’s variation of occasions, a HackerOne spokesperson mentioned, “We are fully commited to respecting the privacy of all consumers — recent and previous — so I can’t go into much too many specifics about the Voatz software at this time.”
The “animosity from these researchers” refers to a 2018 incident exactly where Voatz was accused of reporting a group of University of Michigan college students to the FBI for trying to hack a are living output procedure of Voatz’s application. The college mentioned that the college students were conducting dynamic assessment of the application. Mainly because election infrastructure is categorized as crucial infrastructure and it’s a federal offense to do any tampering with it, Braseth mentioned that they were expected by law and deal to report them to West Virginia, which was keeping an election pilot software at the time. Immediately after that, “West Virginia made the determination to report this action to the FBI,” Braseth mentioned.
“And so there was a fake presumption that Voatz documented a researcher to the FBI, and a tiny group of researchers began to craft an, if I could say, antagonistic technique to Voatz, and given that then have been pressuring any of our associates to consider to get them to abandon or prevent operating with us. Everyone from folks piloting our engineering to associates like HackerOne. And so we consider this to be a portion of that aftermath,” Braseth mentioned.
Voatz’s cellular voting platform has been used in a range of places throughout the United States, which include West Virginia for their 2018 midterm elections, as effectively as other states like Colorado and Utah. Even so, in the wake of the MIT investigation, West Virginia declared that it would cease using Voatz for its elections.
An unbiased audit by infosec consultancy TrailofBits strengthened MIT’s conclusions and found more protection weaknesses. Braseth discussed that this audit was accomplished in partnership with Voatz, and while Voatz responded to each and every finding, TrailofBits did not incorporate these responses in its closing web site publish.