HackerOne has revealed that one of its employees took bug reports submitted by external researchers for personal gain by submitting those on other bounty platforms.

Upon investigation by the HackerOne Security team, it was discovered a then-employee anonymously disclosed vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

“This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data,” the company said in a statement.

“We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future,” it added

On June 22, a customer asked HackerOne to investigate a suspicious vulnerability disclosure made outside of its platform.

Buy Me A Coffee

This customer expressed skepticism that this was a genuine collision and provided detailed reasoning.

The HackerOne security team took these claims seriously and began an investigation.

“Our investigation has concluded that a (now former) HackerOne employee improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain,” said Alex Rice, Founder, and CTO.

The company identified seven customers who received direct communication from the threat actor.

“We notified each of the customers of our investigation and asked for information related to their interactions,” said Chris Evans, CISO.

“As a result of the findings of our investigation, we believe we have taken the necessary steps to contain the insider’s access,” he added.

Two Chinese Nationals Arrested in US for Alleged Role in $73 Million Cryptocurrency Scam

HackerOne paid out over $100 million to participants in 2020 who reported over 181,000 vulnerabilities through bounties.