A bug bounty firm caught an employee stealing reports to earn money

July 6, 2022
Bug Bounty Firm HackerOne Employee Stolen Reports Cybersecurity

HackerOne, a vulnerability and bug bounty cybersecurity platform, had recently disclosed that one of its employees had hacked into the firm’s internal data to steal bug bounty reports and use them for side income purposes.

Based on the reports about the incident, the suspect had unauthorised access to HackerOne’s internal data, which allowed them to harvest the security reports and share them externally to gain the bounty prize. The affected security firm also shared that the suspect had access to the data for over three months since April this year.


The bug bounty firm reported having been alerted last June 22 sent by a suspicious customer about receiving duplicated vulnerability reports from the security platform and the suspect.


As explained by HackerOne, it was quite common for bug bounty platforms to receive duplicates of bugs and vulnerabilities. However, the customer who raised their suspicions about the bug collision had given them solid reasons that the incident must be investigated, which the bug bounty firm had immediately considered.

Furthermore, the suspicious customer also mentioned how the individual in question had used aggressive language in their discussion, which further suggests that the person is in a rush to claim the bounty’s monetary payouts.

Upon learning the identity and information of the suspect, it turned out they were an employee of HackerOne, which denotes that the person had violated the firm’s policies, contracts, values, and company culture. Thus, the employee was immediately dismissed from the company.

The bug bounty firm reinforced its internal security protocols to ensure that the same incident would not transpire again. Furthermore, HackerOne is currently awaiting a counsel review to determine if the suspect must be penalised with legal interventions.

HackerOne’s representative highlighted that their organisation has been honouring their commitment to disclosing critical security incidents since it is one of its values to be transparent in sharing information that could aid the online landscape in building a safer environment for everyone.

About the author

Leave a Reply