HackerOne says an employee stole vulnerability disclosure reports submitted via its platform so they could (at least attempt to) claim the bounty from the company's partners for themselves.
Many companies have started bug bounty programs to reward security researchers for disclosing vulnerabilities in their products instead of exploiting the flaws themselves, peddling them on the black market, or selling them to zero-day brokers on the gray market. A lot of companies rely on platforms like HackerOne to operate these programs for them.
HackerOne says(Opens in a new window) it "discovered a then-employee had improperly accessed security reports for personal gain" in June. "The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties," the company says. "This is a clear violation of our values, our culture, our policies, and our employment contracts."
The entire investigation—from a HackerOne partner expressing doubt about the employee's recently submitted bug report to cutting off the employee's access to this data—reportedly took less than 24 hours. (HackerOne says it has also fired the employee in question and is conferring with its lawyers to "decide whether criminal referral of this matter is appropriate.")
"In summary," HackerOne says, "this was a serious incident. We are confident the insider access is now contained. Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future."
Recommended by Our Editors
The company says that it's making a number of improvements to its processes, such as collecting additional data that could be relevant to future investigations and restricting employee access to certain information, in response to this incident. It's not clear why some of these security measures—especially limiting access to disclosure reports—weren't already in place.
On the plus side, HackerOne says that all of the reports submitted by this former employee were marked as duplicates, which leads it to believe that payouts to legitimate security researchers weren't affected. The company says it has emailed all of the companies that were contacted by the former employee and plans to inform hackers whose reports were accessed of the intrusion.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
"employee" - Google News
July 04, 2022 at 01:12AM
https://ift.tt/aFLz1gq
A HackerOne Employee Stole Vulnerability Reports From Security Researchers - PCMag
"employee" - Google News
https://ift.tt/u7NBj3Q
https://ift.tt/TNygipX
Bagikan Berita Ini
0 Response to "A HackerOne Employee Stole Vulnerability Reports From Security Researchers - PCMag"
Post a Comment