For the primary time in its historical past, bug bounty and vulnerability disclosure platform HackerOne has kicked an organization off its platfor
For the primary time in its historical past, bug bounty and vulnerability disclosure platform HackerOne has kicked an organization off its platform.
Blockchain-based voting platform Voatz has lengthy touted its bug bounty program via HackerOne when requested concerning the safety of its blockchain-enabled cellular voting app.
Based in 2012, HackerOne connects companies with pen testers and cybersecurity researchers. It has hosted over 1,800 buyer applications, however the beleaguered Massachusetts-based firm’s bug bounty is not considered one of them.
“As a platform, we work tirelessly to foster that mutually useful relationship between safety groups and the researcher group,” HackerOne spokesperson Samantha Spielman informed Cointelegraph, “We companion with organizations that prioritize appearing in good religion in direction of the safety researcher group and offering satisfactory entry to researchers for testing. As a result of the Voatz program didn’t adhere to both of these necessities, we terminated our partnership in March 2020.”
In a press release, a Voatz spokesperson attributed HackerOne’s resolution besides them off the platform to “stress from a small group of researchers” who “consider Voatz reported a researcher to the FBI.” Actually, Voatz reported the scholar to the jurisdiction which then reported it to the FBI.
Voatz confronted criticism after a pupil safety researcher was referred to the FBI over what the corporate says was an intrusion try—regardless that that analysis seems to have been protected by the protected harbor assertion within the firm’s bug bounty program. After the FBI referral made headlines, Voatz retroactively up to date its HackerOne bug bounty program phrases to slender the scope of its protected harbor coverage, making it unclear whether or not it even offered full authorized safety.
“Belief is paramount all through the bug bounty mannequin between safety groups, hackers and the platform. As soon as belief is damaged, it’s laborious to rebuild. Whereas Voatz was in a position to floor and resolve vulnerabilities via their bug bounty program, this system was not productive for both social gathering,” mentioned Spielman.
Unbiased safety researcher and avid bug bounty hunter Jack Cable mentioned that Voatz was gradual to even affirm the 2 bug bounty reviews he filed. In a single occasion, he discovered a vulnerability—Voatz storing personal keys from Stack Overflow on its app—that Voatz mentioned had no function in its election course of. Nevertheless, a safety audit by Path of Bits recommended it was in use in sure performance and was listed as a high-security bug.
“There are lots of instances the place they tried to downplay the severity of one thing or weren’t too clear about whether or not it was even a vulnerability. General, it was simply not a really productive expertise,” Cable mentioned.
Cable additionally discovered his IP tackle blocked when testing the app, although he says it’s unclear whether or not this was automated. “There have been a pair instances once I was testing and I used to be not in a position to even on their staging setting as a result of my IP tackle was blocked,” he mentioned.
MIT researchers who recognized severe safety flaws with Voatz discovered many vulnerabilities that will have been outdoors of the scope of the bug bounty program, had they gone via it. As a substitute, they went via CISA. “We wished the analysis to talk for itself, and had authorized considerations about Voatz’s unprofessional response to prior impartial safety analysis, as has been documented in a number of information outlets,” the researchers wrote in an FAQ.
Cable pointed to Voatz’s “normal hostility to safety analysis as a complete.” Voatz denied safety vulnerabilities described in an MIT report, even after it was confirmed by Path of Bits, the auditing agency it employed. “On one hand, they’re saying, ‘come inform us concerning the vulnerabilities you discover.’ However then when individuals truly discover vulnerabilities, they deny that they even exist,” he mentioned.
“They’re clearly not receptive to safety analysis. HackerOne has a duty to guard not solely its clients, but additionally hackers on its platform as quickly as the corporate begins crossing that line. I feel HackerOne needed to act, so I’m glad that they did on this case.”
Voatz mentioned it plans to announce a complete bug bounty program within the coming days.