Security News > 2022 > July > HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains

Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed that a former employee at the firm improperly accessed security reports submitted to it for personal gain.

The employee, who had access to HackerOne systems between April 4 and June 23, 2022, for triaging vulnerability disclosures associated with different customer programs, has since been terminated by the San Francisco-headquartered company as of June 30.

Calling the incident as a "Clear violation" of its values, culture, policies, and employment contracts, HackerOne said it was alerted to the breach on June 22 by an unnamed customer, which asked it to "Investigate a suspicious vulnerability disclosure" through an off-platform communication from an individual with the handle "Rzlr" using "Aggressive" and "Intimidating" language.

Subsequently, analysis of internal log data used to monitor employee access to customer disclosures traced the exposure to a rogue insider, whose goal, it noted, was to re-submit duplicate vulnerability reports to the same customers using the platform to receive monetary payouts.

"The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures," HackerOne detailed in a post-mortem incident report, adding seven of its customers received direct communication from the threat actor.

HackerOne further said it has individually notified customers about the exact bug reports that were accessed by the malicious party along with the time of access, while emphasizing it found no evidence of vulnerability data having been misused or other customer information accessed.

News URL

https://thehackernews.com/2022/07/hackerone-employee-caught-stealing.html