Election App Voatz Just Got Kicked Out of a Major Bug Bounty Program

30 March 2020

Bug bounty platform HackerOne severed ties with Medici Ventures-backed Voatz, the blockchain-based mobile voting app, for breach of partnership standards. 

The removal cuts off Voatz’ access to HackerOne’s network of “ethical hackers” who trade their expertise in finding code faults for cash. HackerOne partners with corporations interested in shoring up potential security vulnerabilities. Across 1,800 total relationships and eight years, though, it’s never before kicked a partner out, said representative Samantha Spielman.

The news was first reported Monday by CyberScoop.

Spielman said Voatz’ breach of “partnership standards” made the relationship unviable, despite the program’s past bug-hunting successes. 

“As a platform, we work tirelessly to foster that mutually beneficial relationship between security teams and the researcher community,” she said. Spielman declined to elaborate on Voatz’ standards breach.

Voatz told CoinDesk in a statement it regrets the relationship’s “temporary pause.” It said that HackerOne had caved to a “small group of researchers who, along with a few other members of the community, believe Voatz reported a researcher to the FBI.”

“This falsehood and misinformation has been a source of animosity toward Voatz and our partners, who face consistent attacks from these researchers,” the statement said.

West Virginia Secretary of State Mac Warner said in October 2019 the Federal Bureau of Investigation was investigating an attempted breach of the app during a pilot program in 2018. West Virginia has used the app in multiple pilots, and Warner maintains that no votes have been altered to date. 

Rocky year

Voatz came under the spotlight in mid-February when a group of MIT researchers released a scathing write-up highlighting myriad apparent security flaws in the app. They alleged Voatz was essentially bunk, criticized its transparency and called up election officials considering the app to maybe think twice. 

Voatz responded with its own criticism. In a sarcasm-laced Feb. 13 press release, it called the researchers’ report unfair and their “bad faith recommendations” irreparably flawed.

However, earlier this month Trail of Bits published a report supporting the MIT researchers’ claims. Voatz had commissioned Trail of Bits to analyze its platform.

Voatz began working with HackerOne in August 2018 and has paid out over $6,000 to researchers through “HackerOne and other avenues” since. It plans to announce its own bounty program “in the coming days.”

West Virginia has dropped its partnership with the company.