HackerOne employee accessed bug reports to claim extra bounties

The largest bug bounty platform HackerOne said it has fired an employee who took bug reports submitted by external researchers and filed the same reports elsewhere for personal gain. 

HackerOne is one bug bounty platform that big companies and government departments have turned to manage their bug bounties. HackerOne receives bug reports from ethical hackers about software, and then internally triages the reports to determine whether or not to pay rewards to those who report them. 

There’s big money at stake. By 2020, HackerOne had paid out over $100 million to participants who’d reported over 181,000 vulnerabilities through bounties it manages since launching in 2012. Last year Zoom, a HackerOne customer, paid out $1.4 million through HackerOne managed bounties. 

HackerOne co-founder and CISO Chris Evans said in a Friday blogpost that the now-former employee — whose role was to triage bugs for numerous customer bounty programs — had improperly accessed security reports at some point between April 4 and June 22 and then leaked the information outside of the HackerOne platform to claim additional bounties elsewhere. 

The employee wrongfully received bounties in a “handful of disclosures”, according to Evans.  

The firm investigated the incident after receiving a customer filed a complaint on June 22 asking it to investigate “a suspicious vulnerability disclosure made outside of the HackerOne platform.” The reporter, using the name “rzlr”, had used “threatening communication” about the vulnerability disclosure. 

“This customer expressed skepticism that this was a genuine collision and provided detailed reasoning,” said Evans. 

Evans said that the former employee anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties. 

“Our investigation has concluded that a (now former) HackerOne employee improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain,” he explains later.

“This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future.”

HackerOne terminated the employee’s system access and remotely locked their laptop on June 23. It interviewed the employee on June 24 and on June 27 “took possession of laptop of suspended threat actor and conducted remote forensics imaging and analysis.” 

The employee, who had system access since April 4, had been in contact with seven HackerOne customers.

HackerOne officially terminated the employee on June 30. By July 1, HackerOne had notified all customers whose bug bounty programs had any interaction with the employee, it said. 

HackerOne says it is confident the external disclosure was not the work of multiple insider threats, but the one employee. 

“This was a serious incident. We are confident the insider access is now contained. Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future,” said Evans.

Evans admits HackerOne’s existing detection and response systems didn’t proactively detect this threat. The firm plans on enhancing its screening process for employees, improving data isolation and network logging, and will implement new simulations to test whether it can detect insider threats.   

HackerOne raised in $49 million in funding in January, bringing its total funding to $160 million. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Microsoft, Singapore’s Ministry of Defense, Nintendo, PayPal, Slack, Starbucks, Twitter, and Yahoo.