Home » » HackerOne employee stole bug reports and collected the bounties

HackerOne employee stole bug reports and collected the bounties

No comments

An employee of bug bounty platform HackerOne has been stealing user-submitted reports and disclosing the information to the affected vendors, sometimes in exchange for financial reward.

In a blog post, the company revealed the details of the incident, which took place over the course of roughly three months, and confirmed that the employee has since been fired.

HackerOne is still considering whether or not to pursue a criminal lawsuit, BleepingComputer reported.

Identical reports raising eyebrows

In early April, HackerOne brought in a new employee who, due to his position, had access to bug reports. These reports highlight vulnerabilities in various software and services that could be exploited by cybercriminals to steal passwords and other sensitive information, distribute malware and more.

From early on, the individual began gathering reports, and under a fake name reaching out to the affected businesses, often in a threatening and intimidating tone, HackerOne said.

The employee would then demand payment in exchange for the vulnerability disclosure, and in some instances even got his way.

HackerOne was alerted to the potential fraud when one of its affected clients reached out to say that another person “discovered” an identical flaw. While duplicate discoveries in bug hunting aren't uncommon, this particular instance was identical to such an extent that it arose suspicion, the company said.

Read more

> Google is upping its Linux bug bounty prize

 > 1Password ups maximum bug bounty

 > Best patch management tools of 2022

Together with payment providers, HackerOne was able to follow the money, and soon discovered one of its own employees was behind the scheme.

Soon after, it banned the employee from accessing the system, and remotely locked his laptop, pending investigation. The investigation showed all of the bug reports the person had accessed, prompting the company to reach out to both the hackers discovering the bugs and the companies affected.

The company also said that not all of the bug reports that the person accessed were abused. In some cases, the access was for legitimate purposes.

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/gymkqGD
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us