HackerOne said one of its recently joined employees has submitted already confirmed bug reports through a sock-puppet account, and managed to receive bounties from concerned companies. HackerOne identified and terminated the rogue employee, and informed the affected companies about its investigation.
HackerOne Employee Stealing Bounties
On June 22nd, HackerOne received a request from someone with a “rzlr” handle to investigate a suspicious vulnerability disclosure, which triggered the platform to realize a major fraud happening at its firm. The very next day, HackerOne noted that one of its employees had access to the platform for over two months – since they joined the company in until, and had been submitting already disclosed vulnerabilities to participant companies. By creating a sock-puppet account to route these fake submissions, the rogue employee has contacted seven companies and even received bounties for some of the submissions. Investigating further with the payment partners, HackerOne identified the rogue employee and terminated his employment immediately. They also locked his laptop remotely pending the inquiry and did the forensics imaging and analysis to find out more. And on June 30, HackerOne said they will review with counsel to decide whether criminal referral of this matter is appropriate. Also, HackerOne said it found no evidence for the misuse of vulnerability data and informed the customers individually who had their reports accessed with dates and times of access for each vulnerability disclosure.