HackerOne confirmed that an insider threat accessed confidential customer data, raising concerns for vulnerability reporting and bug bounty programs.
In a blog post Friday, HackerOne disclosed a security incident involving an employee who took advantage of the platform's coordinated vulnerability disclosure program for financial gain. A call on June 22 from a customer reporting "intimidating and suspicious off-platform communication from an actor" prompted an investigation. Now, a detailed disclosure timeline revealed the actor to be an employee who anonymously disclosed vulnerability information to claim additional bounties.
The HackerOne security team linked the actor, who operated under the alias "rzlr," to an employee and quickly terminated their system access. However, it determined that the former employee had obtained confidential vulnerability reports and contacted seven HackerOne customers in a scheme to earn bounty rewards from bugs discovered by other individuals.
"Our investigation has concluded that a (now former) HackerOne employee improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain," the blog post read.
The incident could shake confidence in the vulnerability disclosure process, which relies on trusted communication, confidentiality and transparency. Bug bounty programs have grown in popularity in recent years as vendors have sought to crowdsource vulnerability research. But concern over vulnerability disclosure processes has heightened recently as some critical vulnerabilities have apparently leaked prior to public disclosure and patching of the flaws.
For example, researchers discovered that the Log4Shell vulnerability was exploited in the wild approximately a week before its public disclosure. And in early 2021, threat actors began exploiting zero-day vulnerabilities in Microsoft Exchange Server, including ProxyLogon, months before the software giant publicly revealed and patched the bugs. Microsoft and Devcore, which discovered the ProxyLogon vulnerability, launched investigations into the matter and determined that there was evidence of a leak from their respective organizations.
Insider threat response
The HackerOne employee's former role was to triage vulnerability disclosures for numerous customer programs, according to the blog post. After reviewing the internal logs, HackerOne said it is confident that no access to customer data beyond that role was granted or authorized. In addition, the bug bounty platform said there is no evidence that the vulnerability data access was misused beyond the former employee improperly claiming credit and rewards for bug reports.
While an investigation into the insider threat incident continues, HackerOne said it notified seven customers that the actor contacted directly. However, the effects could extend to ethical hackers as well.
"Our investigation so far has not discovered any situation where the threat actor made a duplicate disclosure that interfered with the judgment or bounty amount for the original disclosure," the blog post said. "All disclosures made from the threat actor were considered duplicates."
Following the incident, HackerOne made improvements to several areas, including logging, data isolation and red team tabletops. The company also said it will add additional employees dedicated to detecting and responding to insider threats.
Even more specific to this instance, the bug bounty platform said it will enhance its hiring screening, though the details have not been determined.
"Our existing industry standard background, criminal, and reference check processes did not screen out the threat actor. We are evaluating possible additional enhancements tailored to this unique threat," the blog read.
Will it affect the bug bounty market?
While the incident, which HackerOne described as serious, highlighted the danger of insider threats to vulnerability reporting systems, infosec experts were split on how concerning it will be for the third-party bug bounty market overall.
Bob Diachenko, cyber threat intelligence director at Security Discovery, said the incident shows the importance of preventing insider threats, which are always a risk, rather than undermining confidence in third-party bug reporting platforms.
"I don't think that this case should raise concerns going forward," Diachenko said in an email to SearchSecurity. "It is rather an exception than a rule, especially with HackerOne, which I'm sure learned its lesson here."
Similarly, Rik Turner, senior principal analyst of emerging security at Omdia Cybersecurity, said there will always be bad apples in every organization, just like with the 2019 Capital One breach that involved a former Amazon employee. However, the HackerOne incident doesn't help the bug bounty sector from an image perspective, he said.
"I suspect they will all now have to redouble their efforts to scrutinize employee activities -- and potentially cue more surveillance of their laptop activities, etc. -- in an effort to restore any lost credibility," Turner said in an email to SearchSecurity.
Andrew Braunberg, principal analyst of enterprise cybersecurity operations at Omdia, echoed that sentiment, suggesting that better vetting of employees might help. It will lead to more monitoring and logging, he said, which HackerOne did address in its improvements.
"Clearly this incident shows that the threat of insider attack is real," Braunberg said in an email to SearchSecurity. "According to HackerOne, this ex-employee was trying to claim for other bug bounties. Easy to think of other scenarios -- e.g., feeding early vulnerability data to threat actors -- where it might have been harder to catch this actor."
Alon Schindel, director of data and threat research at cloud security firm Wiz, also believes the damage could have been worse. The goals of the employee behind the incident appear to have been limited to financial gain, he said, albeit at the expense of other researchers. Alternatively, Schindel said, the former employee could have weaponized the vulnerability information they accessed in order to target other organizations or sell the information to offensive cyber actors.
The most important aspect of the incident for Curt Franklin, senior analyst of enterprise security management at Omdia, was what HackerOne did right. That included locking the employee's accounts and confiscating the laptop before interviews and allegations began.
"In too many cases, companies will begin investigations and alert a suspected threat actor to forensics effort in time for malicious actions to be taken or for key evidence to be destroyed," Franklin said in an email to SearchSecurity. "It's critical for organizations to have a playbook in place and follow it closely when internal threats are suspected, whether it turns out that the suspicions were justified or not."
While HackerOne's incident response might have been successful, Bob Rudis, head of data science at GreyNoise Intelligence, questioned the timing of the details that were posted at the beginning of a holiday weekend.
"In my opinion, there's no way releasing the details over a holiday weekend was by accident," he said in a Twitter direct message to SearchSecurity. "Mistakes and fraud happen, and this could have been a really great learning experience for everyone. Now, it's just an out-of-sight, out-of-mind story. Transparency in cybersecurity organizations should be paramount."
To that end, Rudis suggested that other players in the space openly discuss how they're shoring up their own processes in light of the HackerOne insider security incident.
Dustin Childs, with Trend Micro's Zero Day Initiative, a vendor-agnostic bug bounty and vulnerability disclosure platform, said the incident was cause for alarm, but he also gave credit to HackerOne for its swift response and detailed disclosure of the incident.
"Incidents like these do raise eyebrows and cause some researchers to lose faith in certain programs or vendors," he said. "However, the transparency in reporting what happened and the actions taken once the threat actor was discovered help to reestablish that trust. It also serves as a reminder that no one is immune from insider threats, and extra vigilance must be taken when dealing with zero-day reports."
Senior reporter Shaun Nichols contributed to this report.