The largest bug bounty platform HackerOne said it fired an employee who took bug reports submitted by external researchers and filed similar reports elsewhere for personal gain.
HackerOne is a bug bounty platform that large companies and government agencies have turned to to manage their bug bounty. HackerOne receives bug reports from ethical hackers about the software, then internally analyzes the reports to determine whether to pay rewards to those who report them.
There is a large sum of money at stake. By 2020, HackerOne has paid over $100 million to participants who reported more than 181,000 security holes through the bounty it administers since its launch in 2012. Last year Zoom, a customer of HackerOne, paid $1.4 million through a bounty managed by HackerOne.
HackerOne and CISO co-founder Chris Evans said in a blog post on Friday that the current employee is a former employee – who was in a bug-fixing role for many client bounty programs – improperly accessed the security reports at some point since April 4 until June 22 and then leaked the information outside of the HackerOne platform to claim more bounties elsewhere.
According to Evans, the employee mistakenly received bonuses in a “small number of disclosures”.
The company investigated the incident after receiving a customer complaint on June 22 asking them to investigate “a suspicious vulnerability disclosure made outside of the HackerOne platform.” The reporter, using the name “rzlr”, used “threat communication” about the disclosure of the security hole.
“This customer expressed skepticism that this was an actual collision and detailed the reasons,” Evans said.
Evans said that the former employee anonymously disclosed information about the vulnerability outside of the HackerOne platform with the goal of claiming additional bounty.
“Our investigation concluded that a (now former) HackerOne employee improperly accessed a customer’s vulnerability data in order to resubmit duplicate vulnerabilities to their own customers. that customer for personal gain,” he explained later.
“This was a clear violation of our values, culture, policies and employment contract. In less than 24 hours, we worked quickly to stop the incident by identifying identified that employee and cut off access to the data. We terminated the employee, and further strengthened our defenses to avoid similar situations in the future.”
HackerOne terminated employees’ system access and remotely locked their laptops on June 23. They interviewed employees on June 24, and on June 27 “owned the machine.” The threater’s laptop is suspended and remote imaging and forensic analysis are conducted.”
This employee, who has access to the system since April 4, has been in contact with seven HackerOne customers.
HackerOne officially terminated employees on June 30. By July 1, HackerOne notified all customers with the bug bounty program that had any interactions with employees, it said.
HackerOne said it firmly believes that the disclosure was not caused by multiple internal threats but by an employee.
“This is a serious incident. We are confident that insider access is now under control. Insider threats are one of the darkest things in cybersecurity, and we stand ready to do whatever we can. within its power to reduce the likelihood of such incidents in the future”. Evans said.
Evans acknowledges that HackerOne’s existing detection and response systems are not actively detecting this threat. The company plans to strengthen its employee screening process, improve data isolation and network logging, and will roll out new simulations to test whether the company can detect insider threats or not.
HackerOne raised $49 million in funding in January, bringing its total funding to $160 million. Customers include US Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Microsoft, Singapore Department of Defense, Nintendo, PayPal, Slack, Starbucks, Twitter and Yahoo.
