I’m concerned about several of the claims made in this blog post from @Voatz.
They claim to be “staffed by cybersecurity experts”. Let’s take a look at that. 1/
blog.voatz.com/?p=1259
They claim to be “staffed by cybersecurity experts”. Let’s take a look at that. 1/
blog.voatz.com/?p=1259
@Voatz I’m very open on LinkedIn; I connect with anyone there. I’m connected to thousands, perhaps tens of thousands of people there now. I’d go find the exact number but I find myself not much caring about it.
Until today, when it gives me the chance to see Voatz staff numbers.
2/
Until today, when it gives me the chance to see Voatz staff numbers.
2/
@Voatz I went to look at Voatz’s company page there on LinkedIn. Here it is. Note that the company is between 11-50 people, and 29 of them are on LinkedIn. Given that this is a tech company, I think we can safely say those 29 people capture much of how the staff looks there.
3/
3/
@Voatz I went through all the company staff profiles I could find there, and I do have visibility into most. I saw two people in the company with the word “security” in their title.
I want to be cautious here, because these are individual humans, so I won’t name them.
4/
I want to be cautious here, because these are individual humans, so I won’t name them.
4/
@Voatz One person says they are a “cybersecurity engineer”, which is roughly the equivalent of calling yourself a medicine doctor or a legal attorney. The other may be split between IT and security.
Two people out of a company with between 29-50 people in it.
5/
Two people out of a company with between 29-50 people in it.
5/
@Voatz Voatz isn’t currently publicly hiring any more security. They have 2 job openings posted on LinkedIn. One is customer-facing sales, and the other is a platform/blockchain engineer. In neither JD does the word “security” appear.
Confirmed in 2nd screenshot from their site.
6/
Confirmed in 2nd screenshot from their site.
6/
@Voatz Why is this an issue? For a company inserting itself into US voting that claims to be staffed by "cybersecurity experts," there appears to be rather a stunning lack of what I'd consider a proportional number of information security engineers.
7/
7/
@Voatz Unless Voatz is engaged with an MSSP handling SOC, an external red team testing provider, a security strategy management firm, and robust third party security services, they seem to me to be unprepared to handle most incoming.
8/
8/
@Voatz Even if HackerOne handles their bug bounty, who's implementing the necessary fixes? I have run security in large and small companies, and 1.5 FTE in security is not yet mature enough to triage and repair any external bug reports. Let's take a look at Voatz's claim there.
9/
9/
@Voatz Here's the Voatz bug bounty program on @Hacker0x01.
hackerone.com/voatz
Looks like since they launched ~19 months ago, they've resolved 9 bug reports.
10/
hackerone.com/voatz
Looks like since they launched ~19 months ago, they've resolved 9 bug reports.
10/
@Voatz @Hacker0x01 First, let me congratulate Voatz on at least having a public bug bounty program.
After all, "the distinction between pretending you are better than you are and beginning to be better in reality is finer than moral sleuthhounds conceive." - CS Lewis, 'Surprised by Joy'
11/
After all, "the distinction between pretending you are better than you are and beginning to be better in reality is finer than moral sleuthhounds conceive." - CS Lewis, 'Surprised by Joy'
11/
@Voatz @Hacker0x01 We can see that it takes that 1.5 infosec staff about 23 days to even triage a report. Given the recent Iowa primaries issue with an unrelated app, where 7 days to resolution was viewed as catastrophic, it's hard to want to trust our democracy to a +3 week triage schedule.
12/
12/
@Voatz @Hacker0x01 What concerns me deeply is how Voatz received and deflected this recent report by {eminent/distinguished/renowned} MIT researchers @mspecter @jimmykoppel @djweitzner
internetpolicy.mit.edu/wp-content/upl…
13/
internetpolicy.mit.edu/wp-content/upl…
13/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner I can brush off most of Voatz's claims to work closely and collaboratively with independent security researchers as PR fluff, given that they don't provide any production access or infrastructure access at all to anyone, including at HackerOne, their own BB program.
14/
14/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner However, it is an undisputed and ugly fact that Voatz reported a student at University of Michigan to the FBI for reporting a bug within their own policy scope, and retroactively changed the terms of their scope to exclude that student's work.
15/
15/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner I find it poetic that Specter, Koppel, and Weitzner at MIT reported to @CISAgov. They protected themselves by reporting serious security flaws in a federal contractor's election technology to *the Fed agency tasked with election security.* Bravo.
internetpolicy.mit.edu/faq-on-the-sec…
16/
internetpolicy.mit.edu/faq-on-the-sec…
16/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner @CISAgov Why does Voatz do this? As a corporate information security executive who's handled risk mgmt strategy, offensive security, data privacy, and encryption issues, one major struggle I and my colleagues perpetually have is managing internal appetite for third-party reporting.
17/
17/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner @CISAgov Even when you have exec buy-in on taking 3rd-party vulnerability reports, you still have to triage, repair, publish, & reward. That is a *big* job, & there's strong argument that by receiving 3rd-party reports & not fixing rapidly, you're potentially accruing liability.
18/
18/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner @CISAgov Voatz does *not* make production apps, infrastructure, or really, anything meaningful, available for bug bounties or external researchers. They exclude most (and arguably, the most important) actual attack surfaces from the BB program.
hackerone.com/voatz
19/
hackerone.com/voatz
19/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner @CISAgov I absolutely understand how hard it is to run a BB program that triages external reports. Excluding scope can simply be a method of bottlenecking reports while you staff up infosec engineering to handle it.
What I don't see is Voatz staffing up infosec to handle it.
20/
What I don't see is Voatz staffing up infosec to handle it.
20/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner @CISAgov Not only has Voatz limited scope, reported researchers to the FBI, and made demonstrably false claims about their app security, but the big reason to limit bug bounty scope--to staff up to handle incoming--has zero job postings.
21/
21/
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner @CISAgov In conclusion, that Voatz blog post contains contradictions between what they say & what their current actions demonstrate their intentions to be, & we should not trust our democracy to them without seeing their actions & words brought into alignment with each other.
22/22
22/22
@Voatz @Hacker0x01 @mspecter @jimmykoppel @djweitzner @CISAgov Postscript: @yaelwrites has an excellent timeline here of her attempts to get any responses to open security concerns from Voatz:
