Spyware developer FlexiSpy planned to lure researchers to disclose vulnerabilities in its software through HackerOne. HackerOne had other ideas.
Last month, the surveillance firm revealed plans on Twitter to transfer its bug bounty program to HackerOne. The bug bounty program, created in the "interest of transparency," would have offered researchers between $100 and $5000 to privately disclose bugs to the company.
FlexiSpy said that the move was in the approval stage but likely did not imagine there would be any roadblocks.
Vulnerabilities of any kind are bad news when exploited, but with this particular bug bounty request, there were ethical considerations to take into account.
FlexiSpy offers consumer spyware for sale, which is known to have been installed to track children as well as spouses and partners.
Once paid for and installed, the spyware allows users to remotely listen in to live calls, snoop on text messages and VoiP, send fake SMS messages, intercept and view multimedia content, read emails and compromise other apps such as WhatsApp, Facebook, Skype, and Instagram, among others.
In response to the request and the online debate which subsequently followed, HackerOne CEO Marten Mickos and CTO Alex Rice clarified the bug bounty platform's position. On Thursday, the pair said in a blog post that FlexiSpy is not a customer, but has prompted a re-examination of what can occur when company principles clash.
Last month, a group of hackers calling themselves the Decepticons allegedly compromised FlexiSpy and leaked the firm's software source code online. This likely prompted the bug bounty application, but the firm's dubious legal position and the purpose of the FlexiSpy consumer spyware itself have made bug bounty providers nervous.
Bugcrowd has already said publicly that FlexiSpy would not be welcome, and now, HackerOne has explained why the firm, too, will not be accepting FlexiSpy's application.
While HackerOne believes acceptance should not rely on "arbitrary moral judgments" and software legality should be left to courts to decide, there is both "broad evidence" and a general belief that FlexiSpy is operating illegally, of which any company connected to them may eventually also be dragged down.
In addition, while vulnerabilities are "universally bad" and the whole purpose of bug bounty programs is to improve overall security and keep the open market flowing, where to draw the line when it comes to grey software is a difficult decision.
"As long as FlexiSPY is permitted to market software designed to spy on kids and victims of domestic abuse, vulnerabilities will put those individuals at risk," HackerOne says. "It is impossible to confidently predict the collateral damage of an exploited vulnerability. On balance, if someone is infected with spyware they're probably better off infected with secure spyware [...] But fixing them benefits the spyware company more than it protects the victims."
The bug bounty platform also argues that "market[ing] their product security as "Secured by HackerOne" directly supports their sales efforts and leads to further distribution and victimization."
Should FlexiSpy be accepted by HackerOne, the company would also be required to publish a vulnerability disclosure policy and commit to protecting hackers against legal action -- neither of which are currently the case.
"HackerOne will always make vulnerability disclosure programs available to all organizations that operate legally and commit to working with hackers in good faith," the company says. "These organizations are welcome to host their security on the HackerOne platform. We will not take action against them based exclusively on moral judgments."
"However, engaging proactively with the HackerOne community through a bug bounty program is a privilege that is only afforded to organizations that conduct themselves in an ethical manner," HackerOne added.
FlexiSpy will not be permitted to host a bug bounty program on HackerOne and did not immediately respond to comment.