HackerOne, the bug bounty platform that processes vulnerability submissions between security researchers and participant companies, has disclosed a rouge incident this week.
HackerOne said one of its recently joined employees has submitted already confirmed bug reports through a sock-puppet account, and managed to receive bounties from concerned companies. HackerOne identified and terminated the rogue employee, and informed the affected companies about its investigation.
HackerOne Employee Stealing Bounties
On June 22nd, HackerOne received a request from someone with a “rzlr” handle to investigate a suspicious vulnerability disclosure, which triggered the platform to realize a major fraud happening at its firm.
The very next day, HackerOne noted that one of its employees had access to the platform for over two months – since they joined the company in until, and had been submitting already disclosed vulnerabilities to participant companies.
By creating a sock-puppet account to route these fake submissions, the rogue employee has contacted seven companies and even received bounties for some of the submissions. Investigating further with the payment partners, HackerOne identified the rogue employee and terminated his employment immediately.
“After identifying these bounties as likely improper, HackerOne reached out to the relevant payment providers, who worked cooperatively with us to provide additional information”
They also locked his laptop remotely pending the inquiry and did the forensics imaging and analysis to find out more. And on June 30, HackerOne said they will review with counsel to decide whether criminal referral of this matter is appropriate.
“We continue forensic analysis on the logs produced and devices used by the former employee” – HackerOne
Also, HackerOne said it found no evidence for the misuse of vulnerability data and informed the customers individually who had their reports accessed with dates and times of access for each vulnerability disclosure.
