Security News > 2020 > October > Bug bounty reporter cashes out on someone else's exploit

Bug bounty reporter cashes out on someone else's exploit
2020-10-19 09:39

Last year, HackerOne had paid over $62 million in bug bounty rewards, with the figure surpassing $100 million this year according to the platform's latest report.

Over the weekend, security professional Guido Vranken alleged that a vulnerability reported to Monero's bug bounty program run by HackerOne was a verbatim copy of his previously discovered exploit.

At the time of writing, Monero staff has stated in the same HackerOne report that even though the bug was plagiarized, that they are unable to withdraw the already-paid sum of money.

"The person copied it from [GitHub] where I initially reported it. I never submitted this to the Monero bounty program myself, so they were unable to know that it was in fact me who wrote the report," Vranken continued telling BleepingComputer.

Unless policies on validating the authenticity of vulnerability reports and on bug bounty payouts are reviewed by platforms, there remains room for abuse by malicious actors.


News URL

https://www.bleepingcomputer.com/news/security/bug-bounty-reporter-cashes-out-on-someone-elses-exploit/