HackerOne says an employee stole vulnerability disclosure reports submitted via its platform to claim the bounty from the company’s partners for themselves.
Bug bounty programs are initiated by companies to reward security researchers for disclosing vulnerabilities in their products instead of exploiting the flaws themselves. Many companies rely on platforms like HackerOne to operate these programs for them.
HackerOne says it discovered an employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.
The entire investigation from a HackerOne partner expressing doubt about the employee’s recently submitted bug report to cutting off the employee’s access to this data reportedly took less than 24 hours.
HackerOne making a number of improvements to its processes, such as collecting additional data that could be relevant to future investigations and restricting employee access to certain information, in response to this incident.
These reports submitted by this former employee were marked as duplicates, which leads it to believe that payouts to legitimate security researchers weren’t affected.
The company says it has emailed all of the companies that were contacted by the former employee and plans to inform hackers whose reports were accessed of the intrusion.