Security Audits

Security audits involve a comprehensive evaluation of the various components of the Voatz platform, including the:

1. Cloud infrastructure
2. Mobile applications
3. Blockchain network
4. Corporate network
5. Source code

Testing focuses on the most critical security concerns as outlined by organizations such as the Open Web Application Security Project (OWASP), The SANS Institute, the National Institute of Standards and Technology (NIST), and The MITRE Corporation. They cover, but are not limited to:

• OWASP Mobile Top 10 Risks
• Unintended data leakage
• Attack on binary protections
• Local and remote Injection attacks
• Unauthorized information disclosure attacks
• Application reverse engineering or decompilation
• Common authentication and authorization issues

Leveraging proprietary methodologies, auditors also test for risks beyond the above lists of common and known issues. Extensive reviews of the Voatz source code are also conducted on an ongoing basis.

Multiple, independent third parties are involved in conducting the assessments. We voluntarily engaged with the Department of Homeland Security (DHS) and one of the leading federal testing labs in the nation to review our infrastructure and the technologies deployed in our pilots.

In 2018, Voatz became the first elections company in the world to launch a public bug bounty program to facilitate ongoing threat detection for its upcoming product releases.

The following tools/services are also used for pen testing and SSL testing:

• Sectigo/HackerGuardian
• Qualys SSL Labs

Additionally, teams from the West Virginia Secretary of State office and the DHS (CISA) have conducted thorough onsite inspections of the Voatz offices.

Audits and bug hunting are a normal part of any software development process. We constantly implement improvements and updates across the platform based on the suggestions and feedback we receive from auditors and county clerks, and release them at regular intervals. Voatz follows an agile development and testing methodology based on rapid iteration and implementation. We place high priority on the needs of our voters and the goals of our pilot jurisdictions. As such, deployments to the public mobile app stores and directed environments are done only upon approval from our Security & Quality Assurance teams.

The following outlines select audits Voatz has participated in:

Year	Category	Scope	Conducted by	Status	Reports
2016	Whitebox Testing	Mobile Applications	Independent Security Vendor*	Complete	—
2018	Whitebox Testing, Blackbox Testing	Mobile Applications, Core Servers, Blockchain Infrastructure	Independent Security Vendor*	Complete	Assessment Report
2019	Citizens Audit #1	Post-election Audit (Denver County, CO)	Pool of volunteer citizens, election officials, experts	Complete	NCC Report
2019	Citizens Audit #2	Post-election Audit (Utah County, UT)	Pool of volunteer citizens, election officials, experts	Complete	NCC Report
2019	Hunt Assessment	Infrastructure Audit	CISA (DHS) Hunt and Incident Response Team (HIRT)	Complete	Engagement Summary Report
2020	Whitebox Analysis, Threat Modeling	Mobile Applications, Core Servers, Blockchain Infrastructure	Trail of Bits	Complete	Threat Model Assessment Report Voatz Responses-I
2020	Citizens Audit #3	Post-Election Audit, Utah GOP State Party	Pool of volunteer citizens, election officials, experts	Complete	NCC Report
2020	VVSG 1.1 Compliance Testing (including Usability and Accessibility), Whitebox Testing	Mobile Applications, Core Servers	Pro V&V - EAC/Federally Certified Voting Systems Test Laboratory (VSTL)	Phase I - Complete Phase II - Complete	Phase I Test Report Compliance Letter Phase II Report
2020	Whitebox Analysis, Blackbox Testing, Threat Modeling	Mobile Applications, Core Servers, Blockchain Infrastructure	Private Election Security Lab*	In progress	—
2020	Red Team Testing	Mobile Applications, Core Servers	Independent Security Vendor*	In progress	—

*Vendor requested anonymity

Learn more about our issue disclosure policy here.

Yes. Security is not a destination, but an ongoing exercise due to the ever-evolving nature of threats, especially when it relates to our electoral infrastructure. The Voatz team and our partners are fully committed to the improvement and evolution of our electoral infrastructure. We understand that threat mitigation and security assessment are continuous processes that must be conducted frequently and thoroughly. Both Voatz and Hyperledger are running bug bounty programs for all upcoming releases in order to ensure the highest quality and security across the platform.