FlexiSpy, a commercial spyware developer, wanted to motivate esearchers to discover potential data security flaws in its software through HackerOne’s bug bounty program. However, HackerOne refused due to ethical concerns.
FlexiSpy sells consumer spyware through which it’s possible to track one’s family members and their online activities. Through their spying software, the users can:
- Send fake SMS messages
- Compromise other apps (Skype, Instagram, Facebook…)
- Intercept and view multimedia content
- Snoop on text messages and VoiP
- Read emails
Last month, Decepticons (a group of hackers) allegedly compromised FlexiSpy’s software and leaked the source code online. It is likely this was the reason behind their bug bounty application.
In the past, Bugcrowd publicly expressed their concerns, and stated that FlexiSpy would not be welcome on their platform. It looks like HackerOne has a similar stance on the matter.
HackerOne believes that acceptance should not be determined on the basis of arbitrary moral judgments, and rather let the courts decide the software legality. In this particular case, however, they have reasons to believe that FlexiSpy is operating illegally, and they do not want to be connected to them.
HackerOne also stated they want to make vulnerability disclosure programs available to all organisations that are operating legally, and will not be taking action against them merely on moral judgments. However, they added this is a privilege reserved for the kind of organisations that conduct themselves in an ethical manner.
As of right now, FlexiSpy has not yet decided to comment their decision.