An employee of bug bounty platform HackerOne copied the work of hackers to get paid by companies. Internal threats are a tricky issue for security providers.
HackerOne was founded in 2012. The organization develops a bug bounty platform. Companies sign up and pay hackers to find vulnerabilities. The platform is popular among hackers due to its steady flow of assignments and income.
HackerOne is an intermediary. The organization is supposed to ensure that companies receive honest information from hackers, and that hackers are rewarded fairly in the process. In June 2022, things went south. A HackerOne employee misused confidential information to collect money from customers.
How did it go wrong?
The employee was responsible for reviewing the vulnerabilities discovered by hackers. Hackers are only paid when the discovered vulnerability meets a set of conditions. That’s what the employee saw to.
You can only review a vulnerability by seeing a vulnerability. As such, the employee was authorized to see vulnerabilities. At the time, HackerOne was unaware that the employee pretended to be a hacker on a personal account. The employee copied the work of actual hackers to get paid by customers.
When a company signs up to HackerOne, the company promises to compensate the finder of a vulnerability. When two hackers find the same vulnerability, the company may be required to pay both. In any other case, the system is unfair to hackers, because they typically work alone. This allowed the employee to slipp under the radar. Stolen work went unnoticed because duplicates can occur.
Seven customers were duped. One of the companies sounded the alarm on 22 June. The employee was fired upon further investigation.
Where did HackerOne fell short?
HackerOne fell short in a number of areas. The organization screens the background of new employees, but wasn’t strict enough to prevent this incident. In addition, HackerOne lacks sufficient employees to track down internal threats. The team is being supplemented accordingly.
The organization is also working on new technical measures, including an automatic system for recognizing suspicious behaviour. Furthermore, HackerOne is investing in data isolation, pushing back employee access to customer and hacker data.
The organization takes the incident seriously, but reputational damage is considerable. Bug bounty platforms run on trust. Every incident is one incident too many.
This does not mean that you should distrust bug bounty platforms entirely. Things go right 99.9 percent of the time. If you’re collaborating with a bounty platform as a company or hacker, we advise running a background check on the ways in which the platform handles internal threats.