Bug Bounty Platform’s Employee Abused Internal Access to Steal Bounties

A HackerOne employee took advantage of their access to internal systems to submit duplicate reports and collect bounties.
hackerone-insider-threat
Image: Westend61/Getty Images

An employee of the bug bounty platform HackerOne abused their access to internal systems to submit bug reports and collect payments, the company announced on Friday.

In a public incident report, HackerOne said that a now former employee used the handle “rzlr” to submit duplicate bug reports to HackerOne customers and, in some cases, was able to collect payments. In practice, the employee saw other people’s bug submissions, copied the content and submitted the same reports to customers hoping to get the companies to pay them. 

Advertisement

“We discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties,” the company wrote in its disclosure. “This is a clear violation of our values, our culture, our policies, and our employment contracts.”

HackerOne did not disclose the name of the former employee nor how much money they made.

A company spokesperson said it’s not planning to disclose the identity of the former employee, and that they are discussing with lawyers whether to report the former employee to law enforcement. 

This is a classic case of what is usually called “insider threat,” when an employee abuses their access to company systems and data to their advantage. In this case, the scheme was rather smart. The former employee’s job was to triage bug reports, so they had access to all the information needed to learn of bug reports and re-submit them under a pseudonym, according to HackerOne.  

Do you have information about other cases of insider abuse or insider threat? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com

The company’s investigation started after a customer alerted HackerOne about receiving a report that used “intimidating language” and was very similar to “an existing disclosure,” according to the company. In 24 hours, HackerOne said it had identified the insider threat and fired them, terminating their system access “and remotely locked their laptop pending further investigation.”

“We are now confident that this incident was limited to a single employee who improperly accessed information in clear violation of our values, our culture, our policies, and our employment contracts,” the company wrote.

HackerOne said it discovered the former employee by analyzing access logs, which revealed “only a single employee had accessed each disclosure that our customers suspected of being re-disclosed by the threat actor,” who used a sockpuppet account to make the reports to seven customers.  

The company also announced a series of improved security measures to avoid similar situations, such as better logging of employee’s activities, dedicating more employees to investigate and monitor for insider threats, and “enhanced” screening during the hiring process, among others.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.