nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

HackerOne says 'no' to FlexiSpy stalkerware bug bounty program

Creepy app seller is going to have to QA its own buggy software

By Iain Thomson, 5 May 2017

Bug bounty organizer HackerOne has told stalkerware developer FlexiSpy that it won't take its business because of the ethics – or lack thereof – that the software maker exhibits.

FlexiSpy has been around for years and is a surveillance application sold to paranoid spouses and those parents and employers who want to know more than they should about their kids and workers. But last month, hackers announced they had comprehensively pwned the application and the servers of the firm that sold it.

While FlexiSpy has ignored requests for comment, the biz did announce that it was going to set up a bug bounty program to harden up its code. El Reg contacted HackerOne for comment at the time and they gave us the following:

"Any company that operates legally within its jurisdiction, treats our hackers with respect and takes vulnerability disclosure seriously is generally welcome to run their program on the HackerOne platform. Improving the integrity of all connected software is to the benefit of the digital society."

The results weren't good, with many online responses to this stance being extremely negative. Rival bug bounty hosters Bugcrowd said that FlexiSpy wasn't welcome and they wouldn't help them find bugs, and plenty of security researchers expressed shock and discomfort at HackerOne's view.

However on Thursday, HackerOne's CEO Mårten Mickos issued a public statement saying that FlexiSpy wouldn't be welcome either. Mickos said the firm had taken legal advice, polled its staff and members, and listened to the wider community in making its decision.

"In our assessment, FlexiSpy actively infringes upon the rights of others and markets on questionable legal premises," he said.

"Their business conduct is not in line with our ambition to build a safe and sound internet where the sovereignty and safety of each participant is respected. As such, FlexiSpy will not be permitted to host a bug bounty program on HackerOne."

Mickos stresses that FlexiSpy was never a customer of HackerOne, and that the stalkerware firm had merely said they would like to use the bug bounty host. Now, and with Bugcrowd having already said no, FlexiSpy will have to sort out their own crappy code. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing