Bug bounty platform HackerOne announced that they have discovered a former employee accessed vulnerability reports submitted by users and published them for personal gain, including bug bounties. The company was alerted by a customer, who asked them to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter pinpointed that the disclosure was similar to an existing disclosure previously submitted through HackerOne.
The HackerOne security team started investigating the issue after the claims. The investigation revealed that a then-employee had improperly accessed security reports for personal gain. The former employee disclosed stolen vulnerability information on other platforms to claim bounties. The individual has been identified and cut off from access to data. The employee was terminated and HackerOne bolstered its defenses to avoid similar unwanted issues.
HackerOne stated that customers who have been directly impacted by the incident have received direct communication from the company with actionable details. The email includes information about which reports have been accessed by the threat actor. The company said,
« In summary, this was a serious incident. We are confident the insider access is now contained. Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future. A special thank you to the customer who originally alerted us to the possibility of something being wrong and to all the customers who subsequently assisted with this incident. »