HackerOne: former employee sold vulnerabilities

Safety An employee of HackerOne has disclosed the details of some vulnerabilities reported to the platform to obtain a personal gain. Pixabay

HackerOne discovered that one of its employees stole the data of some vulnerabilities from the platform to sell it and make a personal profit. The internal investigation was launched following a report from a customer who had received a threatening communication from a certain rzlr. Obviously the employee has been fired and could also be reported to law enforcement. Unfaithful employee sold security bugs HackerOne is a platform that connects companies with security researchers for coordinated vulnerability disclosure. It also plays the role of intermediary for rewards (bug bounty). On June 22, a customer asked to investigate the disclosure of a vulnerability outside the platform. The client stated that the language used by the employee was also intimidating. In addition, the bug was similar to one already reported. Following the investigation, HackerOne located the individual "insider", closed his access to the platform and blocked the company notebook remotely. The employee had created an additional account to disclose information about the vulnerabilities and collect the prize money. This happened between 4 April and 23 June. The employee's illicit activity was discovered following the flow of money and network traffic. HackerOne will continue the forensic analysis of the logs and devices used by the employee. So far, seven customers have been contacted. Information about the survey will be shared with other bug bounty platforms to find out if their customers have received similar communications. Fortunately, the details of the vulnerabilities have not been disclosed to groups of cybercriminals. In any case it is always better to use an antivirus.