Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed {that a} former worker on the agency improperly accessed safety reviews submitted to it for private acquire.
“The individual anonymously disclosed this vulnerability info outdoors the HackerOne platform with the aim of claiming further bounties,” it stated. “In below 24 hours, we labored rapidly to comprise the incident by figuring out the then-employee and slicing off entry to knowledge.”
The worker, who had entry to HackerOne techniques between April 4 and June 23, 2022, for triaging vulnerability disclosures related to totally different buyer applications, has since been terminated by the San Francisco-headquartered firm as of June 30.
Calling the incident as a “clear violation” of its values, tradition, insurance policies, and employment contracts, HackerOne stated it was alerted to the breach on June 22 by an unnamed buyer, which requested it to “examine a suspicious vulnerability disclosure” by means of an off-platform communication from a person with the deal with “rzlr” utilizing “aggressive” and “intimidating” language.
Subsequently, evaluation of inner log knowledge used to observe worker entry to buyer disclosures traced the publicity to a rogue insider, whose aim, it famous, was to re-submit duplicate vulnerability reviews to the identical clients utilizing the platform to obtain financial payouts.
“The risk actor created a HackerOne sockpuppet account and had obtained bounties in a handful of disclosures,” HackerOne detailed in a autopsy incident report, including seven of its clients obtained direct communication from the risk actor.
“Following the cash path, we obtained affirmation that the risk actor’s bounty was linked to an account that financially benefited a then-HackerOne worker. Evaluation of the risk actor’s community site visitors supplied supplemental proof connecting the risk actor’s main and sockpuppet accounts.”
HackerOne additional stated it has individually notified clients concerning the precise bug reviews that have been accessed by the malicious social gathering together with the time of entry, whereas emphasizing it discovered no proof of vulnerability knowledge having been misused or different buyer info accessed.
On prime of that, the corporate famous it goals to implement further logging mechanisms to enhance incident response, isolate knowledge to cut back the “blast radius,” and improve processes in place to establish anomalous entry and proactively detect insider threats.
