The vulnerability disclosure platform HackerOne has revealed that one of their staff members had improperly accessed security reports for personal gain.
The—now former—staff member approached HackerOne customers with vulnerabilities that belonged to users of the platform.
HackerOne
HackerOne acts as a mediator between white hat hackers that find software vulnerabilities, and software vendors who want to know about weaknesses in their products. The vendors let HackerOne take care of the first steps after a vulnerability is discovered in their software. The hackers submit detailed reports to be evaluated and triaged by HackerOne.
Generally you will see the platform referred to as a bug bounty program, because part of the business entails paying rewards to the white hat hackers that find new vulnerabilities.
Disclosure
Responsible disclosure is one of the pillars of trust that platforms like HackerOne are built upon. The vendors trust that the found vulnerabilities will remain secret until they have had a chance to fix or patch them. That is, after all, how the platform contributes to a safer internet. And the bug bounty hunters rely on the platform to negotiate a fair reward for their efforts.
Having someone in your staff that steals ideas from one side and tries to monetize them on the other side breaks that trust on both sides.
What happened?
On June 22, 2022, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The vulnerability was suspiciously similar to one that was already under investigation. And the hacker, operating under the handle “rzlr” used intimidating language.
Bug collision, where two bug bounty hunters find the same vulnerability around the same time, happens on occasion, but the customer was able to convince HackerOne that this was not a coincidence.
According to HackerOne, it quickly became clear that this must have been an inside job, and a day after the customer’s inquiry HackerOne had a suspect on its radar. They terminated the suspect’s system access and remotely locked their laptop.
The company says it then managed to associate a HackerOne sockpuppet account to the suspected employee by following the money trail. The employee’s contract was terminated a week after the investigation started.
Vendors using HackerOne who have been contacted by someone using the handle “rzlr”, and who aren’t already coordinating with HackerOne, are urged to contact the company (for details on how, see HackerOne’s report of the incident).
It is believed that none of the vulnerabilities affected have been put to use in exploits, and that the insider’s actions have not affected any judgments or bounty amounts.
Customers who had any reports accessed by the threat actor have been contacted by HackerOne specifying what was accessed and when.
Lessons learned
HackerOne has been admirably transparent about the incident.
Since the founding of HackerOne, we have kept a steadfast commitment to disclosing security incidents because we believe that sharing security information far and wide is essential to building a safer internet.
It says it has identified several areas it intends to improve. It believes that better logging could improve its ability to respond to similar incidents in the future, and it is going to add additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data.
Perhaps least surprisingly it says it will also look to improve its hiring screening. Insider threats are one of the most insidious in cybersecurity. Especially in the business model of a negotiator where mutual trust at two sides of the business is of the essence.