HackerOne employee stole vulnerability reports from security researchers
HackerOne says an employee stole vulnerability disclosure reports submitted through its platform so they could (at least attempt to) claim the company’s partner bounty for themselves.
Many companies have launched bug bounty programs to reward security researchers who disclose vulnerabilities in their products instead of exploiting the flaws themselves, selling them on the black market, or selling them to zero brokers. -day on the gray market. Many companies rely on platforms like HackerOne to run these programs for them.
HackerOne says(Opens in a new window) he “discovered that a then-employee had improperly accessed security reports for personal gain” in June. “The person anonymously disclosed this vulnerability information outside of the HackerOne platform in an effort to claim additional bounties,” the company said. “This is a flagrant violation of our values, our culture, our policies and our employment contracts.”
The entire investigation – from a HackerOne partner expressing doubts about the employee’s recently submitted bug report to cutting off the employee’s access to this data – reportedly took less than 24 hours. (HackerOne says it also fired the employee in question and is talking to its attorneys to “decide whether it is appropriate to refer this case to criminal proceedings.”)
“In summary,” says HackerOne, “this was a serious incident. We are confident that insider access is now contained. Insider threats are one of the most insidious in cybersecurity, and we are prepared to do everything in our power to reduce the likelihood of such incidents in the future.”
Recommended by our editors
The company says it is making a number of improvements to its processes, such as collecting additional data that may be relevant for future investigations and restricting employee access to certain information, in response to this. incident. It’s unclear why some of these security measures, particularly limiting access to disclosure reports, weren’t already in place.
On the positive side, HackerOne says that all reports submitted by this former employee were marked as duplicates, leading it to believe that payments to legitimate security researchers were unaffected. The company says it has emailed all companies contacted by the former employee and plans to notify hackers whose reports were viewed of the breach.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.