HackerOne has revealed information on a former employee who it alleges accessed company data for personal financial benefit.
The unknown individual received information from bug bounty platform security reports and attempted to reveal the same vulnerabilities outside of the site.
According to HackerOne, he had access to the data between April 4 and June 23, 2022. On June 22, 2022, HackerOne was notified of the problem by a suspicious client who had received similar bug reports from the platform and the person.
“This is a clear violation of our values, our culture, our policies, and our employment contracts,” the platform stated.
“In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defences to avoid similar situations in the future.”
According to HackerOne, the submitter of this off-platform disclosure "reportedly used intimidating language in conversation with our customer," and the actor's intent was to collect more bounties.
HackerOne also stated that, after consulting with lawyers, it will determine if a criminal referral of this situation is necessary.
A HackerOne spokesperson informed The Daily Swig: “Since the founding of HackerOne, we have honoured our steadfast commitment to disclosing security incidents because we believe that sharing security information is essential to building a safer internet.
“At HackerOne, we value the trusted relationships with our customers and the hacking community. It’s important for us to continue to demonstrate transparency as a core tenant of Corporate Security Responsibility and therefore shared this Incident Report.”
The spokesperson added: “Our Code of Conduct sets the foundation for building trust. We will continue to prioritize coordinated disclosure and to act fast to ensure we uphold these strong standards.”