The Economic Times daily newspaper is available online now.

    HackerOne fires employee who stole bug reports to make money elsewhere

    Synopsis

    On June 22, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of its platform.

    HackerTHE ECONOMIC TIMES
    Bug bounty platform HackerOne has revealed that one of its employees took bug reports submitted by external researchers for personal gain by submitting those on other bounty platforms.

    Upon investigation by the HackerOne Security team, it discovered a then-employee anonymously disclosed vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

    Elevate Your Tech Prowess with High-Value Skill Courses

    Offering CollegeCourseWebsite
    IIM LucknowIIML Executive Programme in FinTech, Banking & Applied Risk ManagementVisit
    IIT DelhiIITD Certificate Programme in Data Science & Machine LearningVisit
    IIM KozhikodeIIMK Advanced Data Science For ManagersVisit
    "This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data," the company said in a statement.

    "We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future," it added

    On June 22, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of the its platform.

    This customer expressed skepticism that this was a genuine collision and provided detailed reasoning.

    The HackerOne security team took these claims seriously and began an investigation.

    "Our investigation has concluded that a (now former) HackerOne employee improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain," said Alex Rice, Founder and CTO.

    The company identified seven customers who received direct communication from the threat actor.

    "We notified each of the customers of our investigation and asked for information related to their interactions," said Chris Evans, CISO.

    "As a result of the findings of our investigation, we believe we have taken the necessary steps to contain the insider's access," he added.

    HackerOne paid out over $100 million to participants in 2020 who reported over 181,000 vulnerabilities through bounties.
    The Economic Times

    Stories you might be interested in