The biggest bug bounty platform HackerOne said it fired an employee who submitted bug reports from outside researchers and submitted the same reports elsewhere for personal gain.
HackerOne is a bug bounty platform that major corporations and government agencies have used to manage their bug bounties. HackerOne receives bug reports from ethical hackers about software and then reviews the reports internally to determine whether rewards should be paid to those who report them.
A lot of money is at stake. By 2020, HackerOne . had paid out more than $100 million to participants who reported more than 181,000 vulnerabilities through bounties it administers since its launch in 2012. Last year Zoom, a HackerOne customer, paid out $1.4 million through HackerOne managed bounties†
HackerOne Co-Founder and CISO Chris Evans said in a Friday blog post that at some point between April 4 and June 22, the now former employee — whose role has been to debug bugs for numerous customer bounty programs — had inappropriately accessed security reports and then had the information outside of the HackerOne platform leaked to claim additional bounties elsewhere.
The employee falsely received bonuses in a “handful of disclosures,” Evans said.
The company investigated the incident after receiving a complaint from a customer on June 22 requesting to investigate “a suspicious disclosure of a vulnerability outside of the HackerOne platform.” The reporter, who went by the name “rzlr”, had used “threatening communication” about the vulnerability’s disclosure.
“This customer expressed skepticism that this was a real collision and provided detailed reasoning,” said Evans.
Evans said the former employee disclosed this vulnerability information anonymously outside of the HackerOne platform for the purpose of claiming additional bounties.
“Our investigation concluded that a (now former) HackerOne employee inappropriately accessed customer vulnerability data to resubmit duplicate vulnerabilities to those same customers for personal gain,” he later explains.
“This is a clear violation of our values, culture, policies and employment contracts. In less than 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. employee, and have further strengthened our defenses to prevent similar situations in the future.”
HackerOne terminated access to the employee’s system and remotely shut down the laptop on June 23. It interviewed the employee on June 24, and on June 27, “seized the laptop of a suspended threat actor and performed forensic imaging and analysis remotely.”
The employee, who had system access since April 4, had contact with seven HackerOne customers.
HackerOne officially terminated the employee on June 30. By July 1, HackerOne had notified all customers whose bug bounty programs had any interaction with the employee.
HackerOne says it is convinced that the external disclosure was not the work of multiple threats from within, but of that one employee.
“This was a serious incident. We believe that insider access is now restricted. Insider threats are one of the most insidious in cybersecurity and we stand ready to do everything in our power to reduce the chance of reduce such incidents in the future.” said Evans.
Evans admits that HackerOne’s existing detection and response systems failed to proactively detect this threat. The company plans to improve its employee screening process, improve data isolation and network logging, and will implement new simulations to test its ability to detect internal threats.
HackerOne raised $49 million in funding in January, bringing total funding to $160 million. Clients include the US Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Microsoft, the Department of Defense of Singapore, Nintendo, PayPal, Slack, Starbucks, Twitter, and Yahoo.