A previous worker at HackerOne applied their access to sensitive info at the bug bounty system to deliver private profits, the company has disclosed.
The unnamed individual’s process access was terminated just 24 several hours soon after a tip off from a consumer disclosed they had “improperly accessed information in very clear violation of our values, our society, our procedures, and our employment contracts.”
The business analyzed inside logs and uncovered that the then-employee, who had accessibility to HackerOne systems between April 4 and June 23 2022, contacted 7 customers in an effort to make some additional money off resubmitted vulnerability disclosures.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“The menace actor developed a HackerOne sockpuppet account and had received bounties in a handful of disclosures. Immediately after identifying these bounties as most likely poor, HackerOne achieved out to the relevant payment providers, who worked cooperatively with us to offer more details,” HackerOne spelled out.
“Following the revenue trail, we been given affirmation that the risk actor’s bounty was linked to an account that fiscally benefited a then-HackerOne staff. Investigation of the risk actor’s network targeted visitors provided supplemental evidence connecting the threat actor’s main and sockpuppet accounts.”
The firm taken off the employee’s HackerOne accounts, terminated their work and is at the moment looking at no matter whether to refer the scenario to the authorities for criminal prosecution.
The previous insider, who went by the handle “rzlr” in communications with clients, is reported to have employed “intimidating” language with them when anonymously disclosing vulnerabilities that experienced presently been observed and disclosed.
A analyze very last year found that a 3rd (33%) of claimed information breaches associated somebody with authorized access to the impacted details, although in most scenarios, this led to unintended knowledge loss instead than intentionally destructive action.
Some sections of this short article are sourced from:
www.infosecurity-journal.com