Security Audits

Security audits involve a comprehensive evaluation of the various components of the Voatz platform, including the:

1. Cloud infrastructure
2. Mobile applications
3. Blockchain network
4. Corporate network
5. Source code

Testing focuses on the most critical security concerns as outlined by organizations such as the Open Web Application Security Project (OWASP), The SANS Institute, the National Institute of Standards and Technology (NIST), and The MITRE Corporation. They cover, but are not limited to:

• OWASP Mobile Top 10 Risks
• Unintended data leakage
• Attack on binary protections
• Local and remote Injection attacks
• Unauthorized information disclosure attacks
• Application reverse engineering or decompilation
• Common authentication and authorization issues

Leveraging proprietary methodologies, auditors also test for risks beyond the above lists of common and known issues. Extensive reviews of the Voatz source code are also conducted on an ongoing basis.

Multiple, independent third parties are involved in conducting the assessments. We voluntarily engaged with the Department of Homeland Security (DHS) and one of the leading federal testing labs in the nation to review our infrastructure and the technologies deployed in our pilots.

In 2018, Voatz became the first elections company in the world to launch a public bug bounty program to facilitate ongoing threat detection for its upcoming product releases.

The following tools/services are also used for pen testing and SSL testing:

• Sectigo/HackerGuardian
• Qualys SSL Labs

Additionally, teams from the West Virginia Secretary of State office and the DHS (CISA) have conducted thorough onsite inspections of the Voatz offices.

Audits and bug hunting are a normal part of any software development process. We constantly implement improvements and updates across the platform based on the suggestions and feedback we receive from auditors and county clerks, and release them at regular intervals. Voatz follows an agile development and testing methodology based on rapid iteration and implementation. We place high priority on the needs of our voters and the goals of our pilot jurisdictions. As such, deployments to the public mobile app stores and directed environments are done only upon approval from our Security & Quality Assurance teams.

The following outlines select audits Voatz has participated in:

*Vendor requested anonymity

Learn more about our issue disclosure policy here.

Yes. Security is not a destination, but an ongoing exercise due to the ever-evolving nature of threats, especially when it relates to our electoral infrastructure. The Voatz team and our partners are fully committed to the improvement and evolution of our electoral infrastructure. We understand that threat mitigation and security assessment are continuous processes that must be conducted frequently and thoroughly. Both Voatz and Hyperledger are running bug bounty programs for all upcoming releases in order to ensure the highest quality and security across the platform.