Security Audits

What is the security audit process?

Security audits involve a comprehensive evaluation of the various components of the Voatz platform, including the:

Cloud infrastructure
Mobile applications
Blockchain network
Corporate network
Source code

Testing focuses on the most critical security concerns as outlined by organizations such as the Open Web Application Security Project (OWASP), The SANS Institute, the National Institute of Standards and Technology (NIST), and The MITRE Corporation. They cover, but are not limited to:

OWASP Mobile Top 10 Risks
Unintended data leakage
Attack on binary protections
Local and remote Injection attacks
Unauthorized information disclosure attacks
Application reverse engineering or decompilation
Common authentication and authorization issues

Leveraging proprietary methodologies, auditors also test for risks beyond the above lists of common and known issues. Extensive reviews of the Voatz source code are also conducted on an ongoing basis.

Who conducts the audits?

Multiple, independent third parties are involved in conducting the assessments. We voluntarily engaged with the Department of Homeland Security (DHS) and one of the leading federal testing labs in the nation to review our infrastructure and the technologies deployed in our pilots.

In 2018, Voatz became the first elections company in the world to launch a public bug bounty program to facilitate ongoing threat detection for its upcoming product releases.

The following tools/services are also used for pen testing and SSL testing:

Additionally, teams from the West Virginia Secretary of State office and the DHS (CISA) have conducted thorough onsite inspections of the Voatz offices.

What were the outcomes of the audits?

Audits and bug hunting are a normal part of any software development process. We constantly implement improvements and updates across the platform based on the suggestions and feedback we receive from auditors and county clerks, and release them at regular intervals. Voatz follows an agile development and testing methodology based on rapid iteration and implementation. We place high priority on the needs of our voters and the goals of our pilot jurisdictions. As such, deployments to the public mobile app stores and directed environments are done only upon approval from our Security & Quality Assurance teams.

The following outlines select audits Voatz has participated in:

Year	Category	Scope	Conducted by	Status	Reports
2016	Whitebox Testing	Mobile Applications	Independent Security Vendor*	Complete	Available for Voatz clients. Please contact your account manager for details.
2018	Whitebox Testing, Blackbox Testing	Mobile Applications, Core Servers, Blockchain Infrastructure	Independent Security Vendor*	Complete	Assessment Report
2019	Citizens Audit #1	Post-election Audit (Denver County, CO)	Pool of volunteer citizens, election officials, experts	Complete	NCC Report
2019	Citizens Audit #2	Post-election Audit (Utah County, UT)	Pool of volunteer citizens, election officials, experts	Complete	NCC Report
2019	Hunt Assessment	Infrastructure Audit	CISA (DHS) Hunt and Incident Response Team (HIRT)	Complete	Engagement Summary Report
2020	Whitebox Analysis, Threat Modeling	Mobile Applications, Core Servers, Blockchain Infrastructure	Trail of Bits	Complete	Threat Model Assessment Report Voatz Responses-I
2020	Citizens Audit #3	Post-Election Audit, Utah GOP State Party	Pool of volunteer citizens, election officials, experts	Complete	NCC Report
2020	VVSG 1.1 Compliance Testing (including Usability and Accessibility), Whitebox Testing	Mobile Applications, Core Servers	Pro V&V - EAC/Federally Certified Voting Systems Test Laboratory (VSTL)	Phase I - Complete Phase II - Complete	Phase I Test Report Compliance Letter Phase II Report
2020	Whitebox Analysis, Blackbox Testing, Threat Modeling	Mobile Applications, Core Servers, Blockchain Infrastructure	Private Election Security Lab*	Complete	Available for Voatz clients (US only). Please contact your account manager for details.
2021	Red Team Testing	Mobile Applications, Core Servers	Independent Security Vendor*	Complete	Available for Voatz clients. Please contact your account manager for details.
2022	Red Team Testing	Mobile Applications, Core Servers	Independent Security Vendor*	Complete	Available for Voatz clients. Please contact your account manager for details.
2022	Application Penetration Testing	Web Applications, Mobile Applications, Core Servers	Independent Security Vendor*	Complete	Available for Voatz clients (Canada only). Please contact your account manager for details.
2023	Compliance Audit	Web Applications, Mobile Applications, Core Servers, Blockchain Infrastructure	GBA BMM Auditors	Complete	BMM Trust Rating
2023	StateRAMP Security Snapshot	Web Applications, Mobile Applications, Core Servers, Blockchain Infrastructure	StateRAMP	Complete	Available for Voatz clients. Please contact your account manager for details.

*Vendor requested anonymity

Learn more about our issue disclosure policy here.

Will there be more audits?

Yes. Security is not a destination, but an ongoing exercise due to the ever-evolving nature of threats, especially when it relates to our electoral infrastructure. The Voatz team and our partners are fully committed to the improvement and evolution of our electoral infrastructure. We understand that threat mitigation and security assessment are continuous processes that must be conducted frequently and thoroughly. Both Voatz and Hyperledger are running bug bounty programs for all upcoming releases in order to ensure the highest quality and security across the platform.