HackerOne employee stole bug reports for selling them on the side

Employee stole reports from bug bounty platform to disclose them to customers and claim rewards

HackerOne employee collected bountiesCustomers got contacted by the employee that asked for rewards for disclosure of already reported flaws

Rogue employee stole vulnerability reports submitted via the bug bounty platform and disclosed them to affected customers, so financial rewards can be claimed. The work contacted around half of dozen HackerOne customers and collected bounties from them for the disclosure of the reported but not published vulnerabilities.[1]

The vulnerability coordination platform reported the incident involving the former employee that improperly accessed security reports and used the accessed information for personal gain.[2]

The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures

The report[3] stated that in 24 hours, the company managed to work around the incident and identified the employee to cut off the access to the security information right away. The access was obtained between April 4 and June 23, 2022. The employee has been terminated for the vulnerability disclosures by the San Francisco-headquartered company by June 30.

Violation of the values and employment contracts

The company was alerted about the breach on June 22 by a customer that was asking to investigate the suspicious disclosures of security vulnerabilities. The customer used the off-platform communication platform and was informed that a person contacted them using aggressive language. The customer with a handled “rzlr” noticed the security issue that was submitted through HackerOne that the employee contacted them about.

This is a clear violation of the company values, culture, policies, and even employment contracts. Log data for monitoring the employee access revealed exposure to a rogue insider with the goal of re-submitting duplicate vulnerability reports to the same customer that uses the platform to receive the payouts.[4]

This bug collision when researchers report the same security issue or vulnerability can be common. This was the case of the genuine report and the one from the malicious actor. Both had some similarities and promoted the investigation. The employee started the campaigns once they joined the company. Seven organizations that are customers of HackerOne have received direct messages from this malicious actor.

Payment for the threat actor

The employee who abused the access to security vulnerability information received bounties for tome of these reports that customers got. HackerOne, however, followed the money trail and identified the perpetrator as one of the workers for the company. The investigation provided additional evidence connecting the malicious actor to the primary account and sockpuppet accounts.

The company had a few days during which the investigation was held. Remote forensic imaging and analysis of the suspects' computer, complete data review, and data access logs determined all programs that the rogue employee interacted with. The company has notified the hackers about the incident with the email that stated about the incident where a list of reports they possibly submitted had been accessed by the rogue employee.

Implementing security measures is always important.[5] For users, companies, and organizations. These issues with information leaks and breaches can lead to major issues for the customer, users, or even particular companies and organizations. HackerOne noted that it is important to implement additional logging mechanisms to improve response to such issues and security incidents. Isolating data can reduce anomalous access and proactively detect insider threats.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare