HackerOne employee stole vulnerability reports and claimed bug bounties himself

Spread the love

A HackerOne employee misused vulnerability reports given to the platform for his own benefit. The employee approached companies with these reports and thus received money from ‘a handful of companies’. HackerOne has fired the employee and is considering legal action.

The employee with the username rzlr was tasked with assessing the urgency of vulnerability reports on HackerOne, writes the platform. This gave him access to reports from ethical hackers to the bug bounty platform.

Rzlr approached the companies reportedly “in a threatening manner” outside the platform. He pretended to have found the vulnerability himself, making it seem to the companies that the vulnerability had been spotted by two different researchers in a short period of time. In reality, rzlr had copied his or her report from the HackerOne report.

A ‘handful’ of companies would then have transferred a bug bounty amount to rzlr. HackerOne emphasizes that the original reporters of the vulnerability also received the bug bounty amount and that they were therefore not harmed directly by the employee. The platform also says it has no evidence that companies have reduced the bug bounty amount for the original reporters because they had to split money between the reporter and rzlr.

HackerOne tracked down the employee a week and a half ago when a company contacted HackerOne about “harassing and suspicious communications” from rzlr. According to the company approached, the report from rzlr looked suspiciously like the report from HackerOne. The platform then started an investigation, within 24 hours the employee was found via logging, among other things. His or her laptop was locked remotely a day later and the employee was put on hold. Last Thursday, the contract with the employee was terminated. He or she worked at HackerOne for 2.5 months.

The platform says it is taking steps to prevent incidents like this in the future. For example, HackerOne wants to hire more people to proactively detect insider threats. The platform also wants to screen new employees better. At HackerOne, ethical hackers can report vulnerabilities and get money through bug bounties. PayPal, Facebook and GitHub, among others, are affiliated with the platform.

You might also like
Exit mobile version