Vulnerability disclosure platform shares details of incident

HackerOne employee stole data from bug bounty reports for financial gain

HackerOne has disclosed details of an incident involving a former employee who it claims accessed internal data for personal financial gain.

The unnamed individual obtained information from security reports submitted to the bug bounty platform and attempted to disclose the same vulnerabilities outside of the platform.

He had access to the data from April 4 and June 23, 2022, according to HackerOne.

Suspicious finds

HackerOne was alerted to the issue on June 22, 2022, by a suspicious customer who had received duplicated bug reports from the platform and the individual.

“Bug collisions and duplicates, where multiple security researchers independently discover a single vulnerability, commonly occur in bug bounty platforms,” HackerOne explained in a statement.

“However, this customer expressed skepticism that this was a genuine collision and provided detailed reasoning. The HackerOne security team took these claims seriously and immediately began an investigation.”


Read more of the latest bug bounty news


The submitter of this off-platform disclosure “reportedly used intimidating language in communication with our customer”, says HackerOne, which confirmed that the actor’s goal was to claim additional bounties.

“This is a clear violation of our values, our culture, our policies, and our employment contracts,” the platform said.

“In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data.

“We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future.”

HackerOne also said that subject to a review with counsel, it will also decide whether criminal referral of this matter is appropriate.

Aftermath

A HackerOne spokesperson told The Daily Swig: “Since the founding of HackerOne, we have honored our steadfast commitment to disclosing security incidents because we believe that sharing security information is essential to building a safer internet.

“At HackerOne, we value the trusted relationships with our customers and the hacking community. It’s important for us to continue to demonstrate transparency as a core tenant of Corporate Security Responsibility and therefore shared this Incident Report.”

The spokesperson added: “Our Code of Conduct sets the foundation for building trust. We will continue to prioritize coordinated disclosure and to act fast to ensure we uphold these strong standards.”


YOU MAY ALSO LIKE ‘Does anybody like CAPTCHAs?’ – Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests