Upon investigation by the HackerOne Security team, it discovered a then-employee anonymously disclosed vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.
“This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data,” the company said in a statement.
“We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future,” it added
On June 22, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of the its platform.
This customer expressed skepticism that this was a genuine collision and provided detailed reasoning.
Discover the stories of your interest
The HackerOne security team took these claims seriously and began an investigation.
“Our investigation has concluded that a (now former) HackerOne employee improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain,” said Alex Rice, Founder and CTO.
The company identified seven customers who received direct communication from the threat actor.
“We notified each of the customers of our investigation and asked for information related to their interactions,” said Chris Evans, CISO.
“As a result of the findings of our investigation, we believe we have taken the necessary steps to contain the insider’s access,” he added.
HackerOne paid out over $100 million to participants in 2020 who reported over 181,000 vulnerabilities through bounties.