HackerOne fires employee who stole bug reports to make money elsewhere


New Delhi, Jul 5 (IANS): Bug bounty platform HackerOne has revealed that one of its employees took bug reports submitted by external researchers for personal gain by submitting those on other bounty platforms.

Upon investigation by the HackerOne Security team, it discovered a then-employee anonymously disclosed vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

"This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data," the company said in a statement.

"We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future," it added

On June 22, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of the its platform.

This customer expressed skepticism that this was a genuine collision and provided detailed reasoning.

The HackerOne security team took these claims seriously and began an investigation.

"Our investigation has concluded that a (now former) HackerOne employee improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain," said Alex Rice, Founder and CTO.

The company identified seven customers who received direct communication from the threat actor.

"We notified each of the customers of our investigation and asked for information related to their interactions," said Chris Evans, CISO.

"As a result of the findings of our investigation, we believe we have taken the necessary steps to contain the insider's access," he added.

HackerOne paid out over $100 million to participants in 2020 who reported over 181,000 vulnerabilities through bounties.

 

  

Top Stories


Leave a Comment

Title: HackerOne fires employee who stole bug reports to make money elsewhere



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.