HackerOne has fired one in all its staff for accumulating bug bounties from its prospects after alerting them to vulnerabilities of their merchandise — bugs that had been discovered by different researchers and disclosed privately to HackerOne by way of its coordinated vulnerability disclosure program.
HackerOne found the caper when one in all its prospects requested the group to analyze a vulnerability disclosure that was made exterior the HackerOne platform in June. The client, like different purchasers of bug bounty packages, makes use of HackerOne to acquire and report vulnerabilities in its merchandise that impartial safety researchers might need found. In return, the corporate pays a reward — or bug bounty — for reported vulnerabilities.
On this occasion, the HackerOne buyer mentioned an nameless particular person had contacted them a couple of vulnerability that was similar to one other bug in its expertise {that a} researcher had beforehand submitted by way of the HackerOne platform.
Bug collisions — the place two or extra researchers would possibly independently unearth the identical vulnerability — should not unusual. “Nonetheless, this buyer expressed skepticism that this was a real collision and offered detailed reasoning,” HackerOne mentioned in a report summarizing the incident. The client described the person — who used the deal with “rzlr” — as utilizing intimidating language in speaking details about the vulnerability, HackerOne mentioned.
Malicious Insider
The corporate’s investigation of the June 22, 2022, tip nearly instantly pointed to a number of prospects doubtless being contacted in the identical method. HackerOne researchers started probing each situation the place somebody might need gained entry to its vulnerability disclosure knowledge: whether or not somebody might need compromised one in all its methods, gained distant entry another manner, or if the disclosure had resulted from a misconfiguration. The info rapidly pointed to the menace actor being an insider with entry to the vulnerability knowledge.
HackerOne’s investigators then checked out their log knowledge on worker entry to vulnerability disclosures and located that only one worker had accessed every of the disclosures that prospects reported as being suspicious. “Inside 24 hours of the tip from our buyer, we took steps to terminate that worker’s system entry and remotely locked their laptop computer pending additional investigation,” HackerOne mentioned.
The corporate discovered the previous worker had created a fictitious HackerOne account and picked up bounties for a handful of disclosures. HackerOne labored with the related fee suppliers in every occasion to substantiate the bounties had been paid right into a checking account linked with the now-former worker. By analyzing the person’s community site visitors, the investigators had been additionally in a position to hyperlink the fictional account to the ex-employee’s main HackerOne account.
Undermining Belief
Mike Parkin, senior technical engineer at Vulcan Cyber, says incidents like this will undermine the belief that’s key to the success of crowdsourced vulnerability disclosure packages such because the one which HackerOne manages. “Belief is a giant think about vulnerability analysis and may play a big half in lots of bug bounty packages,” Parkin says. “So, when somebody successfully steals one other researcher’s work and presents it as their very own, that foundational belief might be stretched.”
Parkin praised HackerOne for being clear and performing rapidly to handle the state of affairs. “Hopefully this incident will not have an effect on the vulnerability analysis ecosystem total, however it might result in deeper opinions of bug bounty submissions going ahead,” he says.
HackerOne mentioned the previous worker — who began solely on April 4 — straight communicated with a complete of seven of its prospects. It urged another prospects that may have been contacted by a person utilizing the deal with rzlr to contact the corporate instantly, particularly if the communication had been aggressive or threatening in tone.
The corporate additionally reassured hackers who’ve signed up for the platform that their eligibility for any bounties they may obtain for vulnerability disclosures had not been adversely impacted. “All disclosures produced from the menace actor had been thought-about duplicates. Bounties utilized to those submissions didn’t affect the unique submissions.”
HackerOne mentioned it will contact hackers whose experiences the ex-employee might need accessed and tried to resubmit. “For the reason that founding of HackerOne, we’ve honored our steadfast dedication to disclosing safety incidents as a result of we imagine that sharing safety data is crucial to constructing a safer Web,” the corporate mentioned.
Following the incident, HackerOne has recognized a number of areas the place it plans to bolster controls. These embrace enhancements to its logging capabilities, including staff to observe for insider threats, enhancing its worker screening practices through the hiring course of, and controls for isolating knowledge to restrict injury from incidents of this kind.
Jonathan Knudsen, head of world analysis at Synopsys Cybersecurity Analysis Middle, says HackerOne’s determination to speak clearly concerning the incident and its response to it’s an instance of how organizations can restrict injury. “Safety incidents are sometimes considered as embarrassing and irredeemable,” he says.
However being fully clear about what occurred can enhance credibility and garner respect from prospects. “HackerOne has taken an insider menace incident and responded in a manner that reassures prospects that they take safety very severely, are able to responding rapidly and successfully, and are constantly analyzing and enhancing their processes,” Knudsen says.
