Monday, December 4, 2023
HomeCyber SecurityHackerOne Worker Caught Stealing Vulnerability Studies for Private Good points

HackerOne Worker Caught Stealing Vulnerability Studies for Private Good points

Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed {that a} former worker on the agency improperly accessed safety stories submitted to it for private acquire.

“The individual anonymously disclosed this vulnerability data outdoors the HackerOne platform with the aim of claiming extra bounties,” it mentioned. “In beneath 24 hours, we labored rapidly to comprise the incident by figuring out the then-employee and reducing off entry to information.”

The worker, who had entry to HackerOne techniques between April 4 and June 23, 2022, for triaging vulnerability disclosures related to totally different buyer packages, has since been terminated by the San Francisco-headquartered firm as of June 30.

Calling the incident as a “clear violation” of its values, tradition, insurance policies, and employment contracts, HackerOne mentioned it was alerted to the breach on June 22 by an unnamed buyer, which requested it to “examine a suspicious vulnerability disclosure” via an off-platform communication from a person with the deal with “rzlr” utilizing “aggressive” and “intimidating” language.

Subsequently, evaluation of inside log information used to watch worker entry to buyer disclosures traced the publicity to a rogue insider, whose aim, it famous, was to re-submit duplicate vulnerability stories to the identical prospects utilizing the platform to obtain financial payouts.

“The risk actor created a HackerOne sockpuppet account and had acquired bounties in a handful of disclosures,” HackerOne detailed in a autopsy incident report, including seven of its prospects acquired direct communication from the risk actor.

“Following the cash path, we acquired affirmation that the risk actor’s bounty was linked to an account that financially benefited a then-HackerOne worker. Evaluation of the risk actor’s community visitors supplied supplemental proof connecting the risk actor’s main and sockpuppet accounts.”


HackerOne additional mentioned it has individually notified prospects in regards to the precise bug stories that had been accessed by the malicious celebration together with the time of entry, whereas emphasizing it discovered no proof of vulnerability information having been misused or different buyer data accessed.

On high of that, the corporate famous it goals to implement extra logging mechanisms to enhance incident response, isolate information to cut back the “blast radius,” and improve processes in place to determine anomalous entry and proactively detect insider threats.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments