Bug Bounty platform employee abused internal access to steal bounties

hackerone-insider threat

Image: Westend61/Getty Images

An employee of bug bounty platform HackerOne abused his access to internal systems to submit bug reports and collect payments, the company said on Friday.

In a public incident report, HackerOne said a former employee used the handle “rzlr” to submit duplicate bug reports to HackerOne customers and, in some cases, was able to collect payments. In practice, the employee saw other people’s bug submissions, copied the content, and submitted the same reports to customers in hopes of getting the companies to pay them.

“We discovered that a then-employee had improperly accessed security reports for personal gain. The individual anonymously disclosed this vulnerability information outside of the HackerOne platform in an attempt to claim compensation. additional bonuses,” the company wrote in its disclosure. “This is a gross violation of our values, culture, policies, and employment contracts.”

HackerOne did not reveal the former employee’s name or how much money he made.

A company spokesperson said it does not plan to release the former employee’s identity and is discussing with attorneys whether to report the former employee to law enforcement. order.

This is a classic case of what is commonly referred to as an “insider threat,” when an employee abuses their access to company systems and data to their advantage. In this case, the regime was pretty smart. The former employee’s job was to triage bug reports, so they had access to all the information needed to know about bug reports and resubmit them under a pseudonym, according to HackerOne.

Do you have information on other cases of insider abuse or insider threats? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

The company’s investigation began after a customer alerted HackerOne to receiving a report that used “intimidating language” and sounded very similar to “an existing disclosure”, according to the company. Within 24 hours, HackerOne said it identified the insider threat and fired them, terminating their access to the system “and remotely locking their laptop pending further investigation.”

“We are now satisfied that this incident was limited to a single employee who improperly accessed information in gross violation of our values, culture, policies and employment contracts,” the company wrote.

HackerOne said it discovered the former employee by analyzing access logs, which revealed “a single employee had accessed each disclosure that our customers suspected was re-disclosed by the threat actor”, which used a sockpuppet account to report to seven clients. .

The company also announced a series of enhanced security measures to prevent similar situations, such as better logging of employee activity, assigning more employees to investigate and monitor insider threats, and “enhanced” filtering. “during the hiring process, among other things.

Subscribe to our podcast, CYBER. To subscribe to our new Twitch channel.