September 27, 2023

HackerOne says an employee stole vulnerability disclosure reports submitted via its platform to claim the bounty from the company’s partners for themselves.

Bug bounty programs are initiated by companies to reward security researchers for disclosing vulnerabilities in their products instead of exploiting the flaws themselves. Many companies rely on platforms like HackerOne to operate these programs for them.

Advertisements

HackerOne says it discovered an employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

The entire investigation from a HackerOne partner expressing doubt about the employee’s recently submitted bug report to cutting off the employee’s access to this data reportedly took less than 24 hours.

HackerOne making a number of improvements to its processes, such as collecting additional data that could be relevant to future investigations and restricting employee access to certain information, in response to this incident.

Advertisements

These reports submitted by this former employee were marked as duplicates, which leads it to believe that payouts to legitimate security researchers weren’t affected.

The company says it has emailed all of the companies that were contacted by the former employee and plans to inform hackers whose reports were accessed of the intrusion.

Tags:

Leave a Reply

You may have missed

BORN Canada latest victim of MoveIT data breach

September 27, 2023

Hardware Supply Chain Risk Assessment from CISA

September 27, 2023

Sony attack – Ransomed.vc claims responsibility

September 26, 2023

Chrome Zeroday – CVE-2023-4863 PoC Exploit Released

September 25, 2023

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023
%d bloggers like this: