HackerOne employee stole bug reports and collected the bounties
An insider was scooping up bug reports and presenting them as their own
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
An employee of bug bounty platform HackerOne has been stealing user-submitted reports and disclosing the information to the affected vendors, sometimes in exchange for financial reward.
In ablog post, the company revealed the details of the incident, which took place over the course of roughly three months, and confirmed that the employee has since been fired.
HackerOne is still considering whether or not to pursue a criminal lawsuit,BleepingComputerreported.
Identical reports raising eyebrows
In early April, HackerOne brought in a new employee who, due to their position, had access to bug reports. These reports highlight vulnerabilities in various software and services that could be exploited by cybercriminals to stealpasswordsand other sensitive information, distributemalwareand more.
From early on, the individual began gathering reports, and under a fake name reaching out to the affected businesses, often in a threatening and intimidating tone, HackerOne said.
The employee would then demand payment in exchange for the vulnerability disclosure, and in some instances even got their way.
HackerOne was alerted to the potential fraud when one of its affected clients reached out to say that another person “discovered” an identical flaw. While duplicate discoveries in bug hunting aren’t uncommon, this particular instance was identical to such an extent that it arose suspicion, the company said.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Google is upping its Linux bug bounty prize>1Password ups maximum bug bounty>Best patch management tools of 2022
Together with payment providers, HackerOne was able to follow the money, and soon discovered one of its own employees was behind the scheme.
Soon after, it banned the employee from accessing the system, and remotely locked their laptop, pending investigation. The investigation showed all of the bug reports the person had accessed, prompting the company to reach out to both the hackers discovering the bugs and the companies affected.
The company also said that not all of the bug reports that the person accessed were abused. In some cases, the access was for legitimate purposes.
ViaBleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
