Election App Voatz Just Got Kicked Out of a Major Bug Bounty Program

Bug bounty platform HackerOne severed ties with Medici Ventures-backed Voatz, the blockchain-based mobile voting app for breach of partnership standards.

AccessTimeIconMar 30, 2020 at 9:20 p.m. UTC
Updated Sep 14, 2021 at 8:23 a.m. UTC

Bug bounty platform HackerOne severed ties with Medici Ventures-backed Voatz, the blockchain-based mobile voting app, for breach of partnership standards. 

The removal cuts off Voatz’ access to HackerOne’s network of “ethical hackers” who trade their expertise in finding code faults for cash. HackerOne partners with corporations interested in shoring up potential security vulnerabilities. Across 1,800 total relationships and eight years, though, it's never before kicked a partner out, said representative Samantha Spielman.

The news was first reported Monday by CyberScoop.

Spielman said Voatz’ breach of “partnership standards” made the relationship unviable, despite the program’s past bug-hunting successes. 

“As a platform, we work tirelessly to foster that mutually beneficial relationship between security teams and the researcher community,” she said. Spielman declined to elaborate on Voatz’ standards breach.

Voatz told CoinDesk in a statement it regrets the relationship’s “temporary pause.” It said that HackerOne had caved to a “small group of researchers who, along with a few other members of the community, believe Voatz reported a researcher to the FBI.”

“This falsehood and misinformation has been a source of animosity toward Voatz and our partners, who face consistent attacks from these researchers,” the statement said.

West Virginia Secretary of State Mac Warner said in October 2019 the Federal Bureau of Investigation was investigating an attempted breach of the app during a pilot program in 2018. West Virginia has used the app in multiple pilots, and Warner maintains that no votes have been altered to date. 

Rocky year

Voatz came under the spotlight in mid-February when a group of MIT researchers released a scathing write-up highlighting myriad apparent security flaws in the app. They alleged Voatz was essentially bunk, criticized its transparency and called up election officials considering the app to maybe think twice. 

Voatz responded with its own criticism. In a sarcasm-laced Feb. 13 press release, it called the researchers’ report unfair and their “bad faith recommendations” irreparably flawed.

However, earlier this month Trail of Bits published a report supporting the MIT researchers' claims. Voatz had commissioned Trail of Bits to analyze its platform.

Voatz began working with HackerOne in August 2018 and has paid out over $6,000 to researchers through “HackerOne and other avenues” since. It plans to announce its own bounty program “in the coming days.”

West Virginia has dropped its partnership with the company.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.