Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

HackerOne Fires Employee for Stealing Bug Reports, Collecting Bug Bounties

Bug bounty and vulnerability coordination platform HackerOne has fired an employee for using their position to access customers’ vulnerability data and selling duplicated data back to them to make money.

On Friday, July 1st, the San Francisco-headquartered bug bounty and vulnerability coordination platform HackerOne disclosed that an employee they hired in April 2022 was fired for accessing security reports submitted to the platform and resubmitting them to customers for monetary gains.

Reportedly, the unnamed employee “anonymously disclosed this vulnerability information outside the HackerOne platform” only to claim bounties. Within 24 hours of detecting this malpractice, the company cut off the employee’s access to vulnerability data and contained the incident. The employee was fired on 30 June 2022.

It must be noted that HackerOne is a platform where white hat hackers can anonymously submit vulnerability reports in exchange for bounties. It is one of the leading Attack Resistance Management platforms in the world.

How was the Malpractice Detected?

HackerOne explained that on June 22nd, 2022, one of its customers got suspicious when someone submitted vulnerability data using aggressive and threatening language. The customer quickly alerted the company, asking them to investigate a “suspicious vulnerability disclosure” submitted by someone using the handle “rzlr.”

Surprisingly, the data was identical to a disclosure the company had previously shared with the same customer.

Investigation Reveals Startling Facts

The company launched an investigation and learned that an insider was accessing customer disclosures. Internal log data analysis confirmed that the rogue employee created a HackerOne sockpuppet account and resubmitted duplicate versions of vulnerability reports to the same customers to receive money.

“Following the money trail, we received confirmation that the threat actor’s bounty was linked to an account that financially benefited a then-HackerOne employee. Analysis of the threat actor’s network traffic provided supplemental evidence connecting the threat actor’s primary and sockpuppet accounts.”

HackerOne – Blog Post

How Many Customers Were Targeted?

HackerOne also revealed that the now ex-employee had access to its systems between April 4th and June 23rd, 2022. During this time, the employee was involved in triaging vulnerability disclosures for different customer programs and had contacted seven customers in the same manner.

The company interviewed the employee and later fired him for violating the company’s policies, culture, and employment contract. HackerOne’s chief information security officer Chris Evans and chief technology officer Alex Rice dub it a “serious incident.”

Nevertheless, the company has notified customers about the incident but haven’t yet decided about a criminal referral against the employee.

More Employees and Insiders Mess Up

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…