A HackerOne employee abused vulnerability reports submitted to the platform for his own benefit. The employee contacted these reports with the companies, thus receiving money from “a handful of companies.” HackerOne has fired the employee and is considering legal action.
The employee with the username rzlr has been tasked with evaluating the urgency of the vulnerability reports on HackerOne, write the podium† This gave him access to reports from ethical hackers to the bug bounty platform.
Rzlr approached the reported companies in a “threatening manner” outside the platform. He pretended to have discovered the vulnerability himself, which made the companies look like they had been spotted by two different researchers in a short period of time. In fact, rzlr copied its report from HackerOne’s report.
By then a “handful” of companies had funneled the error bounty amount to rzlr. HackerOne asserts that the original reporters of the vulnerability also received the bug bounty amount and were therefore not directly harmed by the employee. The platform also says that it has no evidence that the companies reduced the amount of the error bonus to original reporters because they had to split the money between the reporter and rzlr.
HackerOne tracked down the employee a week and a half ago when HackerOne contacted about “harassing and suspicious communications” from rzlr. According to the contacted company, the report from rzlr looked suspicious of a HackerOne report. The platform then launched an investigation, within 24 hours the employee was found via the registry, among other things. His laptop was remotely locked after a day and the employee was suspended. Last Thursday, the contract with the employee was terminated. He has been working at HackerOne for 2.5 months.
The platform says it is taking steps to prevent such incidents in the future. For example, HackerOne wants to hire more people to work proactively Threats from within To be able to detect. The platform also wants to better screen new employees. In HackerOne, ethical hackers can report vulnerabilities and get paid with bug bounties. PayPal, Facebook, and GitHub, among others, belong to the platform.
“Lifelong entrepreneur. Total writer. Internet ninja. Analyst. Friendly music enthusiast.”