Hackerone Employee used to access Researcher's Reports for Personal Gain

HackerOne Employee used to access security reports for Personal Gain

Hackerone

[{"selector":"#anim-e927b6f3-bd96-4fdc-8e7f-ea9e369b340c","keyframes":{"opacity":[0,1]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-20c7b948-cce8-4f0b-8eca-404c190a5e4e","keyframes":{"transform":["translate3d(0px, -122.00074%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e833e17c-35fd-4a34-b24f-b89f71f4a940","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-eb853351-2594-4762-8ed9-5228c29258f0","keyframes":{"transform":["translate3d(0px, 1008.23085%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-148e6259-6fbf-422f-9341-60f15318bbc6","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3f45bf29-2805-45af-afae-73e0fd627b58","keyframes":{"transform":["translate3d(0px, 173.40332%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] Hackerone is a Platform for Bug Bounty hunters and the Companies who used to strengthen for cyber security risks They rewards Security Researchers for their findings

Hackerone June 2022 Incident

[{"selector":"#anim-ab5cb833-2922-4b6d-9272-65d37ecc5176","keyframes":{"opacity":[0,1]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d0e43c56-865b-4fb9-8d8f-02bb350b885b","keyframes":{"transform":["translate3d(0px, -122.00074%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-8b03150a-6688-4f44-8825-d44615734105","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-7d5a7b0d-70ee-4568-8b96-a1ceb0a3053b","keyframes":{"transform":["translate3d(0px, 1216.23938%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-478593a3-a4e1-4a67-a629-0572181b45bb","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-17c5c5ed-059b-4b0d-aee7-5a5a654cd373","keyframes":{"transform":["translate3d(0px, 163.41646%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] In an Investigation by Hackerone Team, They Identified an employee of their company was used to access Researcher's Security Reports and mark them as Out of Scope or Informative He Used those reports for personal gain, by submitting the reports to their customers

Researchers used to complain Hackerone

[{"selector":"#anim-b6fa171b-3be8-44f1-8dc7-45342ec64a30","keyframes":{"opacity":[0,1]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-bac20626-8a30-4aca-8fe2-04577f8e4eba","keyframes":{"transform":["translate3d(0px, -122.00074%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-ad24ead8-6561-4572-955f-3723bf1d2f6a","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-eb117bfc-602c-45de-9a19-efa1948b8049","keyframes":{"transform":["translate3d(0px, 553.24957%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-894b966c-d69a-4fa0-891e-5daef0679e8b","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e7c26d3c-1b5f-417c-8913-145758303113","keyframes":{"transform":["translate3d(0px, 130.30899%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] Before that there are many Popular Security Researchers used to complain about Hackerone that their zero day findings were stolen by Hackerone But Infosec Community Always shown them in low light and sometimes used to make fun of them

How Hackerone Realised?

[{"selector":"#anim-42031170-c8e3-4716-8c33-df16c84910de","keyframes":{"opacity":[0,1]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-040b2e89-8fcc-489e-90c3-1f8ccb7ea208","keyframes":{"transform":["translate3d(0px, -122.00074%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-6a78d20c-da48-49d4-ab2b-1cc5d188d984","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e9d436d0-dc32-4959-8c08-0677ed9b4d60","keyframes":{"transform":["translate3d(0px, 1189.71258%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-893814bd-99dc-4ab3-81cc-6d391e0b7390","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-99ff62bb-27f3-4661-82b4-cb4e7c505691","keyframes":{"transform":["translate3d(0px, 142.22221%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] Few of their Customers started complaining about some suspicious security reports made outside of the Hackerone Platform and that is similar to hackerone report In an investigation, they found the employee used the reports for personal gain, as per their report, they have terminated the employee

Hackerone shared the transparent report with Researchers

[{"selector":"#anim-d84bb559-6ef9-4e12-9d56-4e7715d7e1cb","keyframes":{"opacity":[0,1]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1d05f465-5ed8-4a0c-b3ae-1ac7b58f3c73","keyframes":{"transform":["translate3d(0px, -122.00074%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4eda0b3b-c201-49a9-9eba-50627903f148","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-89a0eabd-54e6-4f25-aba8-787a31aab0f7","keyframes":{"transform":["translate3d(0px, 602.30619%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-fe14c7a5-52a9-4b87-8441-b327112c1bfa","keyframes":{"opacity":[0,1]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-8784b411-2984-4d44-93d3-03ec26001fbb","keyframes":{"transform":["translate3d(0px, 173.40332%, 0)","translate3d(0px, 0px, 0)"]},"delay":400,"duration":1200,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] After that, Hackerone shared the transparent report with their customers and the researchers For researchers, they have notified about their findings which were stolen or misused by the threat actors