In order to receive compensation, a HackerOne employee took vulnerability findings submitted through the bug bounty site and revealed them to the impacted clients.
According to information released by HackerOne on Friday, the rogue employee made contact with roughly six clients and earned rewards “in a handful of disclosures.”
HackerOne is a platform for organizing vulnerability disclosures and arranging financial compensation for the security report submitters.
Catching the offender
On June 22, a user going under the moniker “rzlr” requested that HackerOne look into a suspicious vulnerability disclosure over an off-platform communication channel.
The client discovered that HackerOne had previously received a report of the identical security concern.
In this instance, the real report and the one from the threat actor shared glaring similarities that required a closer look. Bug collisions occur when numerous researchers discover and report the same security issue; these occurrences are common.
According to HackerOne’s study, one of its workers had access to the platform from the time they joined the company on April 4 until June 23. During that time, they contacted seven companies to report vulnerabilities that had already been exposed through its system.
Threat actor received payment
According to the business, the rogue employee earned rewards for some of the reports they turned in. As a result, HackerOne was able to follow the trail of money and pinpoint the offender as one of its employees who handled vulnerability disclosures for “multiple customer programs.”
“The threat actor set up a sockpuppet account on HackerOne and had been paid off in a few exposes. After determining that these bounties were probably improper, HackerOne contacted the appropriate payment sources, who cooperated with us to provide more details. in HackerOne
More information linking the threat actor’s primary and sockpuppet accounts on HackerOne was discovered by examining the threat actor’s network activity.
The bug bounty platform identified the threat actor, ended their system access, and remotely locked their laptop while the investigation was ongoing in less than 24 hours.
To find out which bug bounty programs the threat actor interacted with, HackerOne reviewed the data access records for that employee throughout their employment and performed remote forensics imaging and analysis of the suspect’s computer over the course of the following several days.
On June 30, HackerOne fired the threat actor from his position.
We will determine whether a criminal referral of this case is appropriate after consulting with counsel. We continue performing forensic examinations on the former employee’s devices and production logs. in HackerOne
HackerOne says that its former employee had interacted with customers in a “threatening” and “intimidating” manner and recommended clients to get in touch with the business if they were given information in a hostile manner.
According to the corporation, it has “in the vast majority of situations” no proof that vulnerability data has been exploited. Customers who had their reports accessed by the inside threat actor, for malicious or honest intentions, have, however, been personally informed of the dates and times of access for each vulnerability disclosure.
The message alerts the hackers to the occurrence and contains a list of the reports the threat actor accessed, either lawfully as part of their duties or intentionally in order to take advantage of the reported vulnerabilities.
The article has been updated with a HackerOne notification to hackers with reports accessed by the rogue employee (modified July 3, 14:21 EST).
