A former HackerOne employee stole vulnerability reports from security researchers for personal gain, a bug bounty platform reported.
The platform said a HackerOne employee received bounties in a handful of disclosures. HackerOne started an internal investigation after its customer reported a suspicious vulnerability disclosure made outside the HackerOne platform.
"The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter's disclosure was similar to an existing disclosure previously submitted through HackerOne," the platform said.
Bug collisions and duplicates are not that uncommon. However, this case felt a little different, so the platform started an internal investigation.
HackerOne Security team discovered that a then-employee had improperly accessed security reports for personal gain.
"The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties. [...] In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data," the platform said.
The threat actor had access to HackerOne systems between April 4th and June 23rd of 2022 and had received bounties in "a handful of disclosures."
"We will decide whether criminal referral of this matter is appropriate. We continue forensic analysis on the logs produced and devices used by the former employee. We are reaching out to other bug bounty platforms to share details in case their customers received similar communications from "rzlr" [threat actor's handle]. The threat actor's motives appear to be financial in nature," HackerOne said.
Your email address will not be published. Required fields are markedmarked