HackerOne employee fired for using position to steal bug bounties
The threat actor was identified by their duplicate data, which they were trying to pass off as their own for financial gain
Vulnerability coordination platform HackerOne has announced the firing of an employee found to have used their position to access the vulnerability data of customers, and to sell duplicate data back to them for monetary gain.
HackerOne provides a platform through which white hat hackers can anonymously submit vulnerability reports on companies and also facilitates the secure transfer of bounties in return for the information. The company describes itself as the “global leader” in attack resistance management (ARM).
Securing endpoints amid new threats
Ensuring employees have the flexibility and security to work remotelyFree Download
It was discovered this week that an employee had improperly accessed HackerOne systems between April 4 and June 23, stealing user-submitted vulnerability data to pass the information along to the affected customers themselves and receive the bounty.
Concerns were raised by a customer on June 22, when a submitter of vulnerability data used threatening language and provided information with remarkable similarity to a disclosure they had previously received through HackerOne.
Relying on a community of over a million hackers to submit reports can lead to ‘bug collisions’ or duplicates, where two or more hackers can discover the same vulnerability around the same time as each other. In this instance, however, the company states that it was provided with evidence that cast doubt on simple coincidence being behind this crossover of information.
24 hours after the customer tip, HackerOne had identified an employee suspected of being behind the incident and removed their system access. This was possible because only one employee’s access log showed that they had viewed all the disclosures that further customers had identified as being re-submitted by the threat actor.
Following an interview, their employment was terminated, and criminal referral has not yet been ruled out by the company.
In a report, HackerOne chief information security officer Chris Evans and chief technology officer Alex Rice described the actions as a “serious incident.”
“Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future.”
The company states that they have made all customers that they know interacted with the threat actor aware of the incident, but further stressed that any customer who was contacted by user ‘rzlr’ should contact them directly at firstname.lastname@example.org.
The state of Salesforce: Future of business
Three articles that look forward into the changing state of Salesforce and the future of businessFree Download
The mighty struggle to migrate SAP to the cloud may be over
A simplified and unified approach to delivering Enterprise Transformation in the cloudFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
The Total Economic Impact™ Of IBM FlashSystem
Cost savings and business benefits enabled by FlashSystemFree Download