The largest cybersecurity firm, HackerOne‘s employee stolen vulnerability disclosure reports, submitted through Bounty Platform to sell to customers directly.
HackerOne is vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. The reports say, since May 2020, HackerOne’s network had paid $100 million in bounties.
In a recent blog post, the company detailed the incident that took place over the period of three months and confirmed that the employee has since been fired.
An Insight of the Incident
On June 22nd, 2022, a customer asked the company to examine a suspicious vulnerability disclosure made outside of the HackerOne platform. The company noticed that this submitter used intimidating language in communication; also the disclosure was similar to an existing disclosure that was earlier submitted through HackerOne.
After the investigation, the HackerOne Security team found a then-employee had improperly accessed security reports for personal gain. The report says the person revealed this bug report outside the company with the aim of claiming extra bounties.
“The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures. After identifying these bounties as likely improper, HackerOne reached out to the relevant payment providers, who worked cooperatively with us to provide additional information”, says HackerOne.
Upon analyzing the threat actor’s network traffic exposed more evidence that linked their primary and sockpuppet accounts on HackerOne.
The Action was Taken against the Incident
Since it is a violation of the company’s policies, and employment contracts, under 24 hours, the company says, the then-employer’s access was cut-off.
“We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate”, the company said.
The company identified seven customers who received direct communication from the threat actor. They notified each of the customers for investigation and asked for information related to their interactions.
The company says that they have issued platform bans for the employee’s known HackerOne accounts. Also, they planned to carry on forensic analysis of the logs produced and devices used by the former employee. The company is reaching out to other bug bounty platforms to share details in case their customers received similar communications from “rzlr”.
The notice informs the hackers of the incident and includes a list of the reports the threat actor accessed either legitimately, as part of their job, or with the intention to abuse the vulnerabilities submitted.
HackerOne mentioned, “This was a serious incident. We are confident that insider access is now contained. Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future.”