HackerOne News: HackerOne Fires Employee Who Stealed Bug Reports To Make Money Elsewhere
After investigation by the HackerOne Security team, it discovered that a then-employee had anonymously leaked vulnerability information outside the HackerOne platform in an attempt to claim additional bounties.
“This is a gross violation of our values, culture, policies and employment contracts. In less than 24 hours, we worked quickly to contain the incident by identifying the employee of the ‘time and cutting off access to data,’ the company said. in a report.
“We have since terminated the employee and strengthened our defenses to avoid similar situations in the future,” he added.
On June 22, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of their platform.
This customer expressed skepticism about the real collision and provided detailed reasoning.
Discover the stories that interest you
HackerOne’s security team took these allegations seriously and opened an investigation.
“Our investigation concluded that a (now former) HackerOne employee improperly accessed customer vulnerability data to resubmit duplicate vulnerabilities to those same customers for personal gain,” said Alex Rice, Founder and technical director.
The company has identified seven customers who received direct communication from the threat actor.
“We notified each of the customers about our investigation and requested information related to their interactions,” said Chris Evans, CISO.
“As a result of the findings of our investigation, we believe we have taken the necessary steps to contain insider access,” he added.
HackerOne paid out over $100 million to participants in 2020 who reported over 181,000 vulnerabilities through bounties.