According to Bleeping Computer and the HackerOne incident report, a staff member at an ethical hacker bounty site for finding vulnerabilities in software and IT systems violated work restrictions and illegally sold, almost blackmailing, reports of white hackers on bugs and vulnerabilities to “victims” of bugs in your code to software companies. As a result, some partners of HackerOne paid twice for the same vulnerabilities - first to white hackers for bugbounty, and then to a platform insider who was not really hiding.
After several complaints and notifications from HackerOne customers towards the platform administration, there was an assumption that an insider was acting. Moreover, HackerOne began to analyze this incident after a fairly long time from its beginning. An employee of the site, without suspicion, was able to obtain data on the vulnerabilities of seven partner companies, contact them and receive payment from some of them for information that white hackers actually provided in their reports.
Platform partners discovered that vulnerability reports with information from a third-party vendor were provided to them a little earlier or a little later than they received data from HackerOne, and also contained identical descriptions and similar methods and mechanisms for detecting bugs, identical to those provided by white hackers at HackerOne.
During the investigation, HackerOne found that indeed one of its employees had access to the platform's internal documents for more than two months. He decided to get additional rewards from new partners who joined the site from April 4 to June 23. As a result, seven companies suffered from his actions, which paid the fraudster employee separately money practically for silence, and not for information about vulnerabilities.
HackerOne traced the cash payments of the customers affected by the scam and was able to find out exactly which employee was the seller of information about vulnerabilities and how he acted.
“The attacker created an additional user account on HackerOne and received rewards on it for allegedly several of his exposures. Having determined these rewards to be illegal, HackerOne contacted the respective payment providers to block them and provide all additional information on this incident, ”explained HackerOne employees.
An analysis of the network traffic of the employee and the attacker revealed additional evidence linking his main work account and a fake account on HackerOne. Less than 24 hours after the investigation began, the HackerOne platform denied him access to the system and remotely locked his work laptop.
Over the next few days, HackerOne conducted remote forensic imaging of his activities and analyzed data from his work computer. Platform experts reviewed all data access logs by this employee throughout his work to determine all reward programs, information about which this employee used for personal gain. On June 30, HackerOne fired the insider.
“After additional review of this incident with our lawyers, the company will decide whether it is appropriate to prosecute the perpetrator in this case. HackerOne continues to review the logs and devices used by the former employee,” the platform explained.
HackerOne explained that its former employee used “threatening” and “intimidating” language in correspondence with clients and urged them to pay money quickly or there would be early disclosure of data about their vulnerabilities to third parties.
HackerOne said that "in the vast majority of cases" the platform has no evidence of third party misuse of vulnerability data. The company warned all customers affected by the employee's actions about the need to urgently close the vulnerabilities previously found by white hackers.
On September 21, 2021, the HackerOne community announced the launch of an open source vulnerability search program. It will be part of an ongoing platform program called Internet Bug Bounty.
In March 2022, HackerOne stopped cooperation with Russian specialists and bug hunters, freezing their accounts, and also refused to work with all clients from the Russian Federation and partners, including the removal of all joint projects with Kaspersky Lab from its service.
bbabo.Net