Security Audits

What is the security audit process?

Security audits involve a comprehensive evaluation of the various components of the Voatz platform, including the:

  1. Cloud infrastructure
  2. Mobile applications
  3. Blockchain network
  4. Corporate network
  5. Source code

Testing focuses on the most critical security concerns as outlined by organizations such as the Open Web Application Security Project (OWASP), The SANS Institute, the National Institute of Standards and Technology (NIST), and The MITRE Corporation. They cover, but are not limited to:

  • OWASP Mobile Top 10 Risks
  • Unintended data leakage
  • Attack on binary protections
  • Local and remote Injection attacks
  • Unauthorized information disclosure attacks
  • Application reverse engineering or decompilation
  • Common authentication and authorization issues

Leveraging proprietary methodologies, auditors also test for risks beyond the above lists of common and known issues. Extensive reviews of the Voatz source code are also conducted on an ongoing basis.

Who conducts the audits?

Multiple, independent third parties are involved in conducting the assessments. We voluntarily engaged with the Department of Homeland Security (DHS) and one of the leading federal testing labs in the nation to review our infrastructure and the technologies deployed in our pilots.

In 2018, Voatz became the first elections company in the world to launch a public bug bounty program to facilitate ongoing threat detection for its upcoming product releases.

The following tools/services are also used for pen testing and SSL testing:

Additionally, teams from the West Virginia Secretary of State office and the DHS (CISA) have conducted thorough onsite inspections of the Voatz offices.

What were the outcomes of the audits?

Audits and bug hunting are a normal part of any software development process. We constantly implement improvements and updates across the platform based on the suggestions and feedback we receive from auditors and county clerks, and release them at regular intervals. Voatz follows an agile development and testing methodology based on rapid iteration and implementation. We place high priority on the needs of our voters and the goals of our pilot jurisdictions. As such, deployments to the public mobile app stores and directed environments are done only upon approval from our Security & Quality Assurance teams.

The following outlines select audits Voatz has participated in:

Year Category Scope Conducted by Status Reports
2016 Whitebox Testing Mobile Applications Independent Security Vendor* Complete Available for Voatz clients. Please contact your account manager for details.
2018 Whitebox Testing, Blackbox Testing Mobile Applications, Core Servers, Blockchain Infrastructure Independent Security Vendor* Complete Assessment Report
2019 Citizens Audit #1 Post-election Audit (Denver County, CO) Pool of volunteer citizens, election officials, experts Complete NCC Report
2019 Citizens Audit #2 Post-election Audit (Utah County, UT) Pool of volunteer citizens, election officials, experts Complete NCC Report
2019 Hunt Assessment Infrastructure Audit CISA (DHS) Hunt and Incident Response Team (HIRT) Complete Engagement Summary Report
2020 Whitebox Analysis, Threat Modeling Mobile Applications, Core Servers, Blockchain Infrastructure Trail of Bits Complete Threat Model
Assessment Report
Voatz Responses-I
2020 Citizens Audit #3 Post-Election Audit, Utah GOP State Party Pool of volunteer citizens, election officials, experts Complete NCC Report
2020 VVSG 1.1 Compliance Testing (including Usability and Accessibility), Whitebox Testing Mobile Applications, Core Servers Pro V&V - EAC/Federally Certified Voting Systems Test Laboratory (VSTL) Phase I - Complete
Phase II - Complete		 Phase I Test Report
Compliance Letter
Phase II Report
2020 Whitebox Analysis, Blackbox Testing, Threat Modeling Mobile Applications, Core Servers, Blockchain Infrastructure Private Election Security Lab* Complete Available for Voatz clients (US only). Please contact your account manager for details.
2021 Red Team Testing Mobile Applications, Core Servers Independent Security Vendor* Complete Available for Voatz clients. Please contact your account manager for details.
2022 Red Team Testing Mobile Applications, Core Servers Independent Security Vendor* Complete Available for Voatz clients. Please contact your account manager for details.

*Vendor requested anonymity

Learn more about our issue disclosure policy here.

Will there be more audits?

Yes. Security is not a destination, but an ongoing exercise due to the ever-evolving nature of threats, especially when it relates to our electoral infrastructure. The Voatz team and our partners are fully committed to the improvement and evolution of our electoral infrastructure. We understand that threat mitigation and security assessment are continuous processes that must be conducted frequently and thoroughly. Both Voatz and Hyperledger are running bug bounty programs for all upcoming releases in order to ensure the highest quality and security across the platform.