A HackerOne Employee Stole Vulnerability Reports From Security Researchers

HackerOne says an employee stole vulnerability disclosure reports submitted via its platform so they could (at least attempt to) claim the bounty from the company’s partners for themselves.

Many companies have started bug bounty programs to reward security researchers for disclosing vulnerabilities in their products instead of exploiting the flaws themselves, peddling them on the black market, or selling them to zero-day brokers on the gray market. A lot of companies rely on platforms like HackerOne to operate these programs for them.

HackerOne says(Opens in a new window) it “discovered a then-employee had improperly accessed security reports for personal gain” in June. “The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties,” the company says. “This is a clear violation of our values, our culture, our policies, and our employment contracts.”

The entire investigation—from a HackerOne partner expressing doubt about the employee’s recently submitted bug report to cutting off the employee’s access to this data—reportedly took less than 24 hours. (HackerOne says it has also fired the employee in question and is conferring with its lawyers to “decide whether criminal referral of this matter is appropriate.”)

“In summary,” HackerOne says, “this was a serious incident. We are confident the insider access is now contained. Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future.”

The company says that it’s making a number of improvements to its processes, such as collecting additional data that could be relevant to future investigations and restricting employee access to certain information, in response to this incident. It’s not clear why some of these security measures—especially limiting access to disclosure reports—weren’t already in place.