Compliance Management, Network Security

Spyware firm FlexiSPY refused entry to HackerOne’s bug bounty program

A vendor of spyware has been rejected from HackerOne's bug bounty program based on an ethical decision, according to a post on the blog of independent computer security analyst Graham Cluley.

HackerOne is an online bug bounty and vulnerability disclosure platform that allows organizations to post everything from automating a vulnerability disclosure process to launching a private or public bug bounty program.

The company was, at first, receptive to the inclusion of FlexiSPY's request based on its intention of improving "digital society." However, once the company stepped back to "reexamine" its polices, the company rejected the partnership. The spyware tool can spy on children and others, and allows users to intercept SMS messages, emails, alter social media profiles, and listen in on live calls.

The rejection follows a breach of FlexiSPY's software by two hackers, dubbed "The Decepticons," intent on putting the company out of business, as revealed in a recent interview with Motherboard.

The breach, along with attendent publicity on social media platforms, led FlexiSPY to seek to move its bug bounty program over to HackerOne. It sought to offer security researchers up to $5,000 for finding flaws in its portal and systems, typical of candidates on bug bounty platforms.

While HackerOne at first accepted the client, as it would any other, after consulting with its legal team, discussing the pitch in-house and in response to the resulting fury that sparked up on social media, HackerOne reconsidered its choice.

In a statement posted on May 4, HackerOne's CEO Marten Mickos and CTO Alex Rice, wrote: "HackerOne will always make vulnerability disclosure programs available to all organizations that operate legally and commit to working with hackers in good faith. These organizations are welcome to host their security@ on the HackerOne platform. We will not take action against them based exclusively on moral judgements.

"However, engaging proactively with the HackerOne community through a bug bounty program is a privilege that is only afforded to organizations that conduct themselves in an ethical manner. In our assessment, FlexiSPY actively infringes upon the rights of others and markets on questionable legal premises. Their business conduct is not in line with our ambition to build a safe and sound internet where the sovereignty and safety of each participant is respected. As such, FlexiSPY will not be permitted to host a bug bounty program on HackerOne."

Mickos told The Register that FlexiSpy was never a customer of HackerOne, but had merely expressed interest in using the bug bounty host. 

After sending a request for comment, SC Media received the following statement on Wednesday from FlexiSPY:

Regarding HackerOne's decision not to accept a FlexiSPY application to use their bug bounty platform — this is their right and we respect their decision. It is their platform and they have invested time and treasure in building a brand and a user base, and they are entitled to reverse their original position on this issue for the good of their business.

Having said this, we believe that their decision was political and was not based on any actual facts or judgment by a competent legal authority — nor was it in the interest of Internet safety. The stated justifications are simply unsubstantiated opinions and are, understandably, a way of rationalizing decisions forced upon them by their community —let us not forget, that in the final analysis, they are a commercial organization with no obligations to anyone but their shareholders.

Therefore, there is nothing to be gained by trying to debate their justifications — more power to them.

Yet, with adversity comes opportunity, and the money saved from not using the HackerOne platform has gone into increasing the rewards for direct bug reports — which confirm that there continues to be no known way to compromise FlexiSPY customer monitoring data.

Having made the point about the commercial realities facing HackerOne, we wish to address the purported issues of ethics and legality for the average reader.

There is nothing unethical or illegal about selling software for the purposes of monitoring minors for whom you are a legal guardian. There is nothing illegal about selling software to monitor business devices that are used by informed employees. There is nothing illegal about selling software to allow monitoring of a device that you are the legal owner of in case of theft.

To suggest otherwise is completely false, particularly as a few minutes research will show there are literally dozens of other companies — many of which are household names —   making similar products.

It is, however, unethical and potentially illegal to install ANY software whatsoever on a device for which you have not received consent from the legal owner.

This would apply to ANY software including hacking tools, backup programs, device drivers, proxy servers, FTP client, GPS location enabled dating apps and so the list goes on. It could even be argued that enabling "track my iPhone" on a device that did not belong to you was illegal. The point is that software is not illegal, it's how you use it that matters.

This has never been in doubt, but it does not meet the needs of a handful of niche bloggers, who continue to flog dead horses from the past to an audience conditioned to never look beyond the headline.

The irony is that, if people were to judge HackerOne by sensational stories of the damage done by hackers, and did not look in detail at what they actually do —  and instead focused on the continual use of the word 'hack', or were told that HackerOne 'are in the business of promoting hacking", or that they are a 'hacking company', the average reader would have a negative view of HackerOne. Regardless of the truth. 

Finally, we encourage anyone who believes that we are operating in anything less than a lawful manner, to bring their concerns to us, rather than delegating their thinking to the few micro-audience writers who sacrifice objectivity for eyeballs.

HackerOne declined to comment for this article.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.