Voatz Security Issue Disclosure Policy

This Security Issue Disclosure Policy document sets forth the policies that Voatz uses to disclose security issues and resolutions with its Mobile Voting Platform.

Preamble

The security of our election infrastructure is critical to the integrity of our democracy. Therefore, we value the input of security researchers acting in good faith to help us maintain a high standard for the security of our systems, which in turn gives all voters confidence in our electoral process. This includes encouraging responsible research and disclosure of issues. This policy sets forth our definition of good faith in the context of finding and reporting issues, as well as what you can expect from Voatz in return.

Scope

The scope of this policy includes only Internet-accessible election applications and infrastructure, including:

  • App-based mobile voting platforms
  • Web-based remote ballot marking systems

From time to time, Voatz may add additional items to the above list. Any systems not listed above are out-of-scope for security testing under this policy.

How to report

We recommend the following methods to report.

  • Use our bug bounty programs.
  • Directly via email to cso at voatz.com

From time to time, Voatz may add additional methods to the above list.

What you can expect from Voatz

When working with us according to this policy, you can expect us to:

  • Always hold the integrity of the democratic process as critical to our mission.
  • Extend Safe Harbor for your issue / vulnerability research that is related to this policy.
  • Work with you to understand and validate your report, including a timely initial response to the submission.
  • Work to remediate discovered issues / vulnerabilities within our budgetary and operational constraints.
  • Recognize your contribution to improving our security, after remediation and at a time of our choosing if you are the first to report a unique issue / vulnerability, and if your report triggers a code or configuration change.

With your permission, we will disclose unfixed issues that you find with other security researchers to assist in their testing to avoid unnecessary duplication of effort.

What happens if an issue or vulnerability provides unintended access to data?

If an issue or vulnerability provides unintended access to data:

  • Cease testing and submit a report immediately if you encounter any user or voter data during testing, such as Personally Identifiable Information (PII).
  • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
  • Avoid downloading or extracting data of any kind. A screenshot of 3-5 records and/or a brief video is generally enough for your Proof of Concept.

Safe Harbor Policy

Voatz acknowledges the research community’s important role in securing our services. Due to our live systems’ designation as U.S. Critical Infrastructure, it is subject to strict monitoring and incident reporting requirements. We therefore ask that participants take special care to limit testing activities to our test environments. Unfortunately, Voatz is unable to guarantee safe harbor if you make attempts to access production assets and / or live election systems for testing purposes.

Our test environments have been designed to closely mirror our live environments and we encourage you to contact us if your research is inhibited in any way.

Voatz supports safe harbor for participants who:

  • Use the test or beta versions of our mobile apps (Apple TestFlight or Google Play Beta) as provided through our program’s scope and the specific links on this page below.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party.

We will consider activities conducted consistent with this policy to constitute “authorized” conduct and will not pursue civil action or initiate a complaint against you. We will help to the extent we can if legal action is initiated by a third party against you. When conducting vulnerability research consistent with this policy, we consider the research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and / or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
  • Lawful and helpful to the overall security of the Internet, and conducted in good faith; and
  • You are expected, as always, to comply with all applicable laws.

Responsible Disclosure Policy[1]

For the protection of our customers and to protect against malicious attackers seeking to sow misinformation and / or to exploit reported but not yet resolved security issues, Voatz does not disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available. To minimize the potential disruption to the electoral process, Voatz will make public disclosure during defined Issue Disclosure Windows (IDWs)[2].

While we will always strongly consider your assessment and recommendations regarding vulnerability severity, Voatz retains the authority to determine what issues and / or vulnerabilities can and should be remediated and within what time frame. We will always prioritize our mission to administer fair elections and will address vulnerabilities to the best of our ability to achieve that goal.

[1]The Voatz Security Policy is modeled after Apple’s security policy.

[2]The timing of IDWs is determined by the election calendars of Voatz customers. Note, the nature of IDWs is inherently fluid (e.g. special elections to fill the position of a deceased elected official).

 

Last Updated: March 1, 2020

Official Statement from Voatz Regarding Mobile Voting Pilot in West Virginia

We are thrilled our efforts to make mobile voting a reality are sparking an engaged conversation around the nation’s first mobile voting pilot in a federal election.

In our three years as a company, more than 75,000 votes have been cast on our platform, and we’ve administered more than 30 pilot elections. With each election we’ve learned something new, and we will continue to take the time necessary to ensure that the voting process is secure for voters.

As with the implementation of all new election technologies, the implementation of mobile voting will be a process. It is not something that can, nor that we want to, happen overnight.  

We applaud the State of West Virginia for leading the charge in making voting more convenient for military personnel, their families, and for citizens living overseas. We are proud to be their partner. The initial pilot, conducted earlier this year, was met with enthusiasm and gratitude by those serving abroad. We are excited to continue learning and growing the platform to enable more overseas citizens to vote with greater convenience.

Given the engaged conversation, we wanted to address a number of technical questions that we’ve been asked, which are outlined below:

 

What specific blockchain technology does Voatz use?

The Voatz ‘permissioned’ blockchain is built using the HyperLedger blockchain framework first created by IBM, now supported by the Linux foundation. This type of blockchain is distinctly different than permissionless blockchain frameworks, like Bitcoin. In order to participate in the permissioned blockchain, a voter or auditor must first be verified. In the general election pilot, eight verified validating nodes will be used, split evenly between AWS and Microsoft Azure, each of which are geographically distributed. We believe that the initial rollout of a blockchain based election technology benefits greatly from using such a permissioned approach as it can more accurately emulate how elections are administered presently in the US.

 

Has this been vetted by independent 3rd party auditors?

Yes. Following the first West Virginia pilot, multiple independent technology firms were engaged to vet the Voatz system. Reputable security companies was engaged to conduct penetration testing on the system and to inspect the source code of the Backend Systems and the Voatz smartphone application for both iOS and Android. A public bug bounty program has been engaged to continuously analyze and test the implementation of the blockchain network and the mobile applications. 

Additionally, tools provided by Comodo/HackerGuardian and Qualys SSL labs were used to conduct vulnerability scans and SSL testing.


Has Voatz run pilots before? Have they all been successful?

Yes. To date, Voatz has conducted more than 30 successful pilots that range from state party conventions to student government elections. In the largest election, more than 15,000 votes were cast. The purpose of all the Voatz pilots is to learn, to improve and to deliver on stakeholder expectations. We experienced an instance of an on-premise election in Utah where we were unsuccessful in meeting the needs of the client. We were unable to support the large numbers of voters who simultaneously attempted to download the app and become verified within a short 30-minute period before voting started. While the Voatz team was disappointed with the outcome of the Utah pilot, it was a valuable learning experience that we have used to make changes and improvements to our system, which have been integrated into subsequent pilots.

 

How is privacy preserved in a blockchain infrastructure?

Blockchain technology, when used for financial transactions like Bitcoin, cannot be totally anonymous, rendering the term “pseudonymous”. However, when used in voting with the Voatz application, the identity of the voter is doubly anonymized: first by the smartphone, and second by the blockchain server network.

 

If a user’s phone or mobile network is compromised, is their vote compromised as well?

The Voatz platform goes to significant lengths to prevent a vote from being submitted if a device is compromised. Only certain classes of smartphones that are equipped with the latest security features are allowed to be used. Detecting a compromised mobile network is particularly challenging for a mobile application, which is why ensuring end-to-end vote encryption and vetting the certificates represented by unique IDs stored on the smartphone, are two of the approaches we use to mitigate a compromised mobile network.

 

How can votes stored on the blockchain be audited?

In the West Virginia pilot, a paper ballot is printed for each mobile ballot submitted on the blockchain, then tabulated like a normal absentee ballot. This ballot contains information that can be used in an audit to ensure that every vote cast from a smartphone was counted exactly once, and counted correctly. For the general election, a real-time voter-verified paper trail will be generated, which will allow the state to conduct a post-election audit.

 

Resources
Learn more about Voatz and the pilot elections we’ve conducted: https://blog.voatz.com/
Learn more about the West Virginia pilot: https://wvexperience.voatz.com/faq.html
Additional questions, please email: pr at voatz.com
Released by Voatz, Inc. 7 August 2018. Last updated on 14 September 2018.