Red Team, Red Flags: Flock's Bishop Fox Engagement Creates Compliance Nightmare

Flock finally reacts to the vulnerabilities it has known about and failed to fix for nearly a full year. Sort of. The company put out a press release today saying it “will launch a comprehensive testing campaign to provide third-party evaluation of Flock’s technology as part of the company’s continued commitment to security and risk management.” Unfortunately, rather than contributing to a more secure environment, this audit is virtually guaranteed to bring Flock further out of compliance.

The announcement is, of course, almost entirely marketing gibberish; to the extent that there’s any meat on its bones, this is it:

Bishop Fox’s offensive security experts will engage in complex, multistage and multilayer adversarial testing across all of Flock’s products, both hardware and software. The results and any ensuing updates will be communicated transparently to reinforce confidence in Flock’s strong security posture.

The key phrase is “multistage and multilayer adversarial testing.” This suggests^[1] they will engage Bishop Fox for some good old-fashioned red teaming.

It would be good news. If this announcement passed the smell test.

Why would Flock announce this to the world?

For readers not familiar with the term, “red teaming” is industry shorthand for hiring people who will attempt to break into your systems. It can include everything from physical entry (by breaking into buildings), to social engineering, to “hacking” systems over the Internet.

This is an incredibly useful exercise for security teams. Red teams (and actual attackers) can test vectors that employees typically can’t—for example, leaving USB sticks containing malware in company parking lots, putting on a hi-viz vest and carrying a clipboard into the server room, or sweet-talking Sam from HR into giving them an employee login.

If you want to test your everyday preparedness, announcing it to the world is not a good idea, for obvious reasons.

Perhaps more importantly for a company like Flock, an announcement like this sets expectations:

The results and any ensuing updates will be communicated transparently to reinforce confidence in Flock’s strong security posture.

A red team exercise at any organization, let alone one with a track record like Flock’s, is not a one-shot third-party validation exercise. Testing and addressing vulnerabilities is a months-long coordinated effort between senior management, in-house security staff, external consultants, and engineering teams.

If done right, the result is not a report to be presented in a shareholder call; it’s a binder documenting the work your management and engineering teams will be doing for the next six months.

And that’s just about the best-case scenario, which I do not expect for Flock.

Instead, Flock blasts out a press release with little to no context, creating unnecessary friction between shareholders who simply want a stamp of approval and security teams who want meaningful, long-term fixes.

Flock uses the language of success to set itself up to fail.

The Bishop Fox Choice

Bishop Fox is generally a well-regarded offensive security firm—the kind of company you hire when you’re serious about finding vulnerabilities. But …

Late last year, I published “Y Combinator funds both surveillance infrastructure and the machinery to silence its critics” which described some of the Y Combinator ties between Flock and its alleged other cybersecurity partner, Cyble.

I say “alleged,” because in that post, I questioned how formal the relationship is, writing “I would expect one of them to do a press release announcing a ‘strategic partnership.’” Here, Flock did not choose Cyble. It chose Bishop Fox. And it put out a press release.

While the ties between the companies do not suggest the same level of intertwinement as between Flock and Cyble, interesting overlaps remain.

Reddit co-founder Alexis Ohanian was Flock’s first investor while Reddit co-founder Steve Huffman currently serves on the board of Bishop Fox.

Chris Castaldo, Flock’s new CISO, worked at IronNet CyberSecurity before being hired at Flock. Don Dixon, managing director of Forgepoint Capital, serves on the board of both IronNet and Bishop Fox.

Castaldo also worked with Will Lin—another managing director and founding member of ForgePoint Capital^[2]: they co-founded the non-profit Security Tinkerers in 2018 and continue to collaborate on it today.

The “follow the money” connection between Flock and Bishop Fox is not as obvious or direct as the one between Flock and Cyble, but the close personal relationship Flock’s new CISO maintains with managing directors and board members of a “neutral third party” that could add or remove billions from Flock’s valuation raises serious red flags.

We’ll see if Flock publicly acknowledges this appearance of a conflict at any point before the “results” are in, or if we’re expected to take everything at face value.

The impossible bind

The CJIS Security Policy (CJISSECPOL), also name-dropped^[3] in the press release, creates an inescapable problem for any “production” testing of Flock’s systems.

There is a commonly-used CJISSECPOL workaround for giving contractors temporary access to CJI without full vetting: a Flock employee “escorts” the contractors while they work. This avoids fingerprinting, background checks, and the cascade of compliance certifications that would otherwise be required from every agency customer in states without centralized contractor vetting.

The problem is that in an “escort” scenario, the escort is legally required to prevent Bishop Fox from accessing unencrypted CJI. CJISSECPOL § 5.1.1.5 is explicit: physical access must be “controlled” and the escort must maintain “observation” to ensure the contractor cannot view protected data.^[4]

As soon as Bishop Fox successfully discovers a vulnerability that exposes real data—which is, after all, the entire point of red teaming—the escort has failed in their duties. The incident becomes reportable under CJISSECPOL. CGAs must be notified, as well as the FBI, and mitigation plans must be submitted.

Success equals failure. The very act of doing the security audit competently would trigger mandatory incident reporting.

Neither alternative works

For Flock, as the defending “blue team,” there are two paths forward, and both lead nowhere good.

Option 1: Test on a replica environment.

There is a lot of evidence of Flock using development-specific code and keys in production and vice-versa, suggesting poor logical separation and cross-environment contamination. If I had to make a list of “organizations I would expect can roll out an accurate replica of their production environment,” Flock would definitely not be on it.

Even assuming Flock could create an accurate replica software environment, if your penetration testing is multilayer and includes physical security, you have to include the security of your office and server buildings, as well as any parts of your network you’re leaving unattended on a stick on the side of the road.

And while a replica might yield valid results for a blue team interested in making improvements, because we can’t verify the fidelity of the replica, it would invalidate a lot of the “third party” claims that Flock raises in its press release. (Again, I ask: why announce it in a press release?)

Option 2: Test in production.

This creates the impossible bind described above. But even setting aside the escort paradox, testing in production without the escort workaround would be worse.

Some states, through their CSAs, have centralized vetting for contractors. Many do not. For states without centralized vetting, each Bishop Fox employee with access to unencrypted CJI would have to be fingerprinted, background checked, and certify their knowledge of, and agreement with, CJISSECPOL to each Flock customer with an active CJIS security addendum.

To be compliant with CJISSECPOL, all governmental Flock customers in those states must independently ensure this has happened. Failing to do so, even in a single jurisdiction, would bring all of Flock’s customers—including those in states with centralized compliance—out of compliance the moment Bishop Fox touches a live packet.

We already know Flock sends data to Denmark and the Philippines. The certifications I have received in open records requests did not include these contractors.

Ultimately, it’s on local criminal justice agencies and their state CSAs—not Flock—to remain in compliance with CJISSECPOL.

If Flock were to add another subcontractor to access its customers’ CJI without obtaining necessary authorizations, conducting the necessary background checks, and providing the required compliance documentation, it would bring its agency customers even further out of compliance.

We’ve tried nothing, and we’re all out of ideas

Flock continues to sit on the report by GainSec, which documents dozens of vulnerabilities that were reported to Flock in February 2025 but, by all accounts, remain unfixed. It also continues to ignore the unrelated issue from late 2025, where it hardcoded passwords in production.

The red team should have no trouble finding and flagging these issues. Then we’ll have another report for Flock to fail to act on.

In its press release, Flock writes that “[t]he results and any ensuing updates will be communicated transparently to reinforce confidence in Flock’s strong security posture.”

Flock could start on that today by acknowledging and fixing the already-documented vulnerabilities in its products.

Flock could also own up to all the security incidents it has experienced, from accidentally disclosing a file with customer emails, to hardcoding passwords in roadside cameras. It could transparently implement fixes, or even provide a schedule for these fixes.

The company could address the issues with compliance, which include failures to mitigate critical security vulnerabilities within 15 days as CJISSECPOL requires, designing the system to disseminate CJI indiscriminately, and leaking entire murder investigations.

Instead of falsely claiming “we have never been hacked” and removing accountability measures, Flock could work with independent security researchers, rather than try to get them to sign NDAs.

Flock could even work with CSAs and the FBI, which are authorized to audit Flock’s systems. After several unanswered requests to the Iowa Department of Public Safety (Iowa’s CSA), in December 2025, I even requested the FBI perform such an audit, citing incidents where Flock disseminated warrant information from NCIC, and the 157 pages of murder investigation mentioned earlier.^[5]

The company has not issued a single press release indicating it has done, or plans to do, any of these things.

From inception, this announcement has all the hallmarks of compliance theater—perhaps producing a meaningless report by an “independent” third party, before CJISSECPOL’s stricter “Supply Chain Risk Management” controls come into full effect with version 6, is a way to avoid the Department of Justice needing to wade into the mess Flock, local agencies, and CSAs have created.

Flock’s goal should be to improve its security posture, not to “reinforce confidence” in it. One is security, the other is managing public perception—i.e., marketing.