HackerOne says that an employee stole the vulnerability disclosure reports submitted via its platform so that they could (at least attempt) to claim the bounty from the company’s partners for themselves.
Many companies have started bug bounty programs to reward security researchers for exposing vulnerabilities in their products rather than exploiting the flaws themselves, selling them on the black market, or selling them to zero-day brokers on the gray market. Lots of companies rely on platforms like HackerOne to run these programs for them.
hacker one Says(Opens in a new window) “I discovered that an employee at the time had improperly accessed security reports for personal gain” in June. “An anonymous person disclosed this vulnerability information outside the HackerOne platform with the aim of claiming additional rewards,” the company says. “This is a clear violation of our values, culture, policies and work contracts.”
The entire investigation – from a HackerOne partner who expressed skepticism about an employee’s recent error report cutting off employee access to this data – reportedly took less than 24 hours. (HackerOne says it has also fired the employee in question and is consulting with her attorney “to determine whether criminal referral for this matter is appropriate.”)
HackerOne says: “In short, this was a serious incident. We are confident that insider access is now contained. Insider threats are one of the most deceptive threats in cybersecurity, and we are willing to do everything we can to reduce the likelihood of such incidents in the future “.
Recommended by our editors
The company says it is making a number of improvements to its operations, such as collecting additional data that may be relevant to future investigations and restricting employee access to certain information, in response to this incident. It’s not clear why some of these security measures – particularly restricting access to disclosure reports – are not in place.
On the plus side, HackerOne says that all reports submitted by this former employee were flagged as duplicates, leading it to believe that payments to forensic security researchers were unaffected. The company says it has emailed all companies the former employee contacted and plans to inform hackers whose reports were accessed about the intrusion.
Like what are you reading?
sign for Security Monitor A newsletter of our top privacy and security stories delivered straight to your inbox.