HackerOne employee fired for using position to steal bug bounties

A hand holding a magnifying glass reveals a red lock, unlocked among several blue locked locks

Vulnerability coordination platform HackerOne has announced the firing of an employee found to have used their position to access the vulnerability data of customers, and to sell duplicate data back to them for monetary gain.

HackerOne provides a platform through which white hat hackers can anonymously submit vulnerability reports on companies and also facilitates the secure transfer of bounties in return for the information. The company describes itself as the “global leader” in attack resistance management (ARM).

RELATED RESOURCE

Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely

FREE DOWNLOAD

It was discovered this week that an employee had improperly accessed HackerOne systems between April 4 and June 23, stealing user-submitted vulnerability data to pass the information along to the affected customers themselves and receive the bounty.

Concerns were raised by a customer on June 22, when a submitter of vulnerability data used threatening language and provided information with remarkable similarity to a disclosure they had previously received through HackerOne.

Relying on a community of over a million hackers to submit reports can lead to ‘bug collisions’ or duplicates, where two or more hackers can discover the same vulnerability around the same time as each other. In this instance, however, the company states that it was provided with evidence that cast doubt on simple coincidence being behind this crossover of information.

What is hacktivism? Vulnerability hunters are cut from a different cloth – they’re naturally inquisitive Businesses urged to abandon Microsoft Exchange legacy authentication earlier than planned

24 hours after the customer tip, HackerOne had identified an employee suspected of being behind the incident and removed their system access. This was possible because only one employee’s access log showed that they had viewed all the disclosures that further customers had identified as being re-submitted by the threat actor.

Following an interview, their employment was terminated, and criminal referral has not yet been ruled out by the company.

In a report, HackerOne chief information security officer Chris Evans and chief technology officer Alex Rice described the actions as a “serious incident.”

“Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future.”

The company states that they have made all customers that they know interacted with the threat actor aware of the incident, but further stressed that any customer who was contacted by user ‘rzlr’ should contact them directly at support-incident-06-22@hackerone.com.

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.