Bug bounty and vulnerability coordination platform HackerOne has fired an employee for using their position to access customers’ vulnerability data and selling duplicated data back to them to make money.
On Friday, July 1st, the San Francisco-headquartered bug bounty and vulnerability coordination platform HackerOne disclosed that an employee they hired in April 2022 was fired for accessing security reports submitted to the platform and resubmitting them to customers for monetary gains.
Reportedly, the unnamed employee “anonymously disclosed this vulnerability information outside the HackerOne platform” only to claim bounties. Within 24 hours of detecting this malpractice, the company cut off the employee’s access to vulnerability data and contained the incident. The employee was fired on 30 June 2022.
It must be noted that HackerOne is a platform where white hat hackers can anonymously submit vulnerability reports in exchange for bounties. It is one of the leading Attack Resistance Management platforms in the world.
How was the Malpractice Detected?
HackerOne explained that on June 22nd, 2022, one of its customers got suspicious when someone submitted vulnerability data using aggressive and threatening language. The customer quickly alerted the company, asking them to investigate a “suspicious vulnerability disclosure” submitted by someone using the handle “rzlr.”
Surprisingly, the data was identical to a disclosure the company had previously shared with the same customer.
Investigation Reveals Startling Facts
The company launched an investigation and learned that an insider was accessing customer disclosures. Internal log data analysis confirmed that the rogue employee created a HackerOne sockpuppet account and resubmitted duplicate versions of vulnerability reports to the same customers to receive money.
“Following the money trail, we received confirmation that the threat actor’s bounty was linked to an account that financially benefited a then-HackerOne employee. Analysis of the threat actor’s network traffic provided supplemental evidence connecting the threat actor’s primary and sockpuppet accounts.”
HackerOne – Blog Post
How Many Customers Were Targeted?
HackerOne also revealed that the now ex-employee had access to its systems between April 4th and June 23rd, 2022. During this time, the employee was involved in triaging vulnerability disclosures for different customer programs and had contacted seven customers in the same manner.
The company interviewed the employee and later fired him for violating the company’s policies, culture, and employment contract. HackerOne’s chief information security officer Chris Evans and chief technology officer Alex Rice dub it a “serious incident.”
Nevertheless, the company has notified customers about the incident but haven’t yet decided about a criminal referral against the employee.