HackerOne has refused to host a bug bounty program for a spyware seller on the grounds that the organization is operating illegally and unethically.
The vulnerability coordination and bug bounty platform’s decision applies to FlexiSPY, a company which produces spyware designed to spy on children as well as spouses and partners. Its “solutions,” if you want to call them that, allow a user to intercept a target’s SMS messages, read their emails, compromise their social media profiles, and listen in on live calls.
When you’re peddling in these types of services, it’s guaranteed you’ll attract a lot of negative attention.
Sure enough, two hackers formed a partnership called “The Decepticons.” Together, they infiltrated the company’s IT assets, exfiltrated product source code and other types of information, and wiped nearly every server they could find.
Their motivation? The two hackers didn’t hide it in a recent interview with Motherboard:
“We got what we needed. And this will probably put [FlexiSPY] out of business.”
It didn’t take long for the outrage on social media about the data breach to begin pouring into the spyware company.
In an effort to save its brand and reputation (as well as prevent further attacks in the future), FlexiSPY announced its intention to move its bug bounty program to HackerOne. The spyware seller said it would offer researchers as much as $5,000 for responsibly disclosing vulnerabilities in its portal, main website, and Android and iOS binaries through the new rewards program.
In the interest of transparency, we're moving the bounty program to @Hacker0x01 …
— FlexiSPY (@flexispy) April 26, 2017
Initially, HackerOne seemed receptive to the idea because, in its words to The Register, “improving the integrity of all connected software is to the benefit of the digital society.” But amid contentious debate on social media, the platform’s CEO and CTO subsequently published a blog post in which they make HackerOne’s stance clear:
“HackerOne will always make vulnerability disclosure programs available to all organizations that operate legally and commit to working with hackers in good faith. These organizations are welcome to host their [email protected] on the HackerOne platform. We will not take action against them based exclusively on moral judgements.
“However, engaging proactively with the HackerOne community through a bug bounty program is a privilege that is only afforded to organizations that conduct themselves in an ethical manner. In our assessment, FlexiSPY actively infringes upon the rights of others and markets on questionable legal premises. Their business conduct is not in line with our ambition to build a safe and sound internet where the sovereignty and safety of each participant is respected. As such, FlexiSPY will not be permitted to host a bug bounty program on HackerOne.”
I’m with HackerOne’s logic. Bug bounty programs are all about ethical hacking. But if the company for which the bug bounty program is designed to benefit is not acting in an ethical manner, a line needs to be drawn–even if that means customers and victims might be exposed to vulnerable spyware solutions.
Let’s hope FlexiSPY takes a hint. In the meantime, if you think you or someone you know has suffered an infection at the hands of one of FlexiSPY’s products, you can use this tool to detect it.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.