Talkspace threatened to sue a security researcher over bug report

A security researcher said he was forced to take down a blog post describing an apparent bug in Talkspace’s website that gave him a year’s subscription for free, after the company rejected his findings and sent the researcher a legal threat.

John Jackson said he was able to sign up to Talkspace, a popular therapy app, as if he were an employee at one of the companies whose health insurance plans covers Talkspace’s services. Some of these sign-up links are found in Google search results, some of which aren’t advertised on the company’s website.

But Jackson said he found little to no evidence that the sign-up page verifies that a user is eligible for the free year-long subscription.

Jackson tested his theory by creating an account. A month later, the account is still active, he said.

Jackson’s case is just the latest example of security researchers facing legal threats for their work. Months ago, aerospace security researcher Chris Kubecka said she was threatened by Boeing after finding a security issue on a plane. Two security researchers were also prosecuted last year amid claims they overstepped the limits of their penetration test at an Iowa courthouse. The case was later dropped.

Talkspace does not offer a way for security researchers to submit bugs. With help from TechCrunch, the researcher contacted Talkspace to warn of the potential bug, fearing that malicious hackers or users could be abusing the system and claiming free therapy. But the company rejected the claims, telling Jackson that it has “multiple internal processes in place to protect against abuses,” without providing specifics.

Within hours of Jackson publishing his findings on his blog — which TechCrunch has seen — Talkspace sent Jackson a cease and desist letter, accusing the researcher of defaming Talkspace “by broadcasting untruths” in his blog post.

“In no instance would Talkspace charge an enterprise partner or a health plan for services rendered to a user not deemed eligible by that partner,” said the letter, signed and sent by Talkspace general counsel John Reilly.

“This letter is formal notice to cease and desist, as well as immediately retract such statements with clarification to your blatant and damaging misstatements,” said the letter. “Failure to do so will result in further and immediate legal action.”

When reached, Talkspace would not say on the record what its anti-fraud mechanisms are, or if or how many fraudulent incidents it has discovered, only that the sign-up program is “designed in collaboration with each partner based upon their individual objectives,” said Gil Margolin, Talkspace’s chief technical officer.

We’ve published the cease and desist letter. The letter did not address the technical claims made by Jackson in his blog post.

When reached, Talkspace spokesperson JoAnna Di Tullio deferred comment to Reilly, who repeated the claims from his letter, that the company is “well aware of how we structure our employer relationships and secure eligibility for our services,” and described Jackson’s blog post as “pure defamation” and “utterly untrue.”

Many companies nowadays embrace security researchers by offering bug reporting programs, which reward or pay researchers for finding security flaws and other bugs that could otherwise go unreported and exploited by malicious hackers.

Other companies, like Dropbox, Mozilla and Tesla, go further by offering “safe harbor” provisions by promising not to take legal action against researchers who act in good faith.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.