Skip to main content

HackerOne incident raises concerns for insider threats

posted onJuly 6, 2022
by l33tdawg
Portswigger
Credit: Portswigger

A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards.

The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday. HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports.

On June 22, HackerOne responded to a customer request to investigate a suspicious vulnerability disclosure through an off-platform communication channel from someone using the handle “rzlr.” The customer had noticed that the same security issue had been previously submitted through HackerOne. Bug collisions, where multiple researchers find and report the same security issue, are frequent; in this case, the genuine report and the one from the threat actor shared obvious similarities that prompted a closer look.

Source

Tags

Security Industry News

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th