Business, Security

HackerOne busts employee selling its security reports

Brendyn Lotz

4th July 2022

Bug bounty programmes can be incredibly valuable for firms who need to keep their customer data under wraps. Unfortunately, organising and keeping tabs on these programmes requires special effort which is why HackerOne was born.

HackerOne is a platform that allows ethical hackers to submit vulnerability reports through a trusted platform. While a hacker could contact a company directly, and they do, this isn’t best practice.

At the weekend, however, HackerOne disclosed an incident which doesn’t paint the firm in the best light.

In the middle of June, HackerOne was contacted by a customer who said they had received a vulnerability disclosure outside of the HackerOne platform.

“The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter’s disclosure was similar to an existing disclosure previously submitted through HackerOne. Bug collisions and duplicates, where multiple security researchers independently discover a single vulnerability, commonly occur in bug bounty platforms. However, this customer expressed skepticism that this was a genuine collision and provided detailed reasoning. The HackerOne security team took these claims seriously and immediately began an investigation,” the incident report reads.

As it turned out, the person behind this disclose was a now former employee who accessed security reports with a view to selling them on for extra money. The employee used the handle “rzlr” and HackerOne has urged customers to be wary of off-platform disclosures that come from this handle.

“This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate,” writes HackerOne.

In its timeline of events, HackerOne says that it was thanks to its internal processes that this matter could be resolved so speedily. In truth, the employee was rather careless and given that HackerOne knew which incidents were being sold on, finding the employee was simple.

The now former employee is said to have contacted as many as seven HackerOne customers in a bid to sell on data. As for the hackers who submitted bugs concerned about duplication of disclosures, HackerOne says its users shouldn’t be concerned.

“Our investigation so far has not discovered any situation where the threat actor made a duplicate disclosure that interfered with the judgment or bounty amount for the original disclosure. All disclosures made from the threat actor were considered duplicates. Bounties applied to these submissions did not impact the original submissions. We will be careful to consider fairness to hackers as our investigation continues,” the firm wrote in an incident report.

This is of course a serious incident and it’s great to see HackerOne treating it as such. We do, however, shudder to think what would have happened had the HackerOne customer not alerted the firm to the incident.

This provides a teachable moment though, intelligence sharing in the information and cyber security space is vital. To believe one IT team can fend off thousands of hackers who are working together is folly. Remember if you see something strange, tell somebody about it, you could just save a company from a massive headache.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.