HackerOne, a vulnerability coordination and bug bounty platform, announced that a former employee of theirs had used their access to sensitive information regarding the vulnerabilities of clients to turn a quick profit.
The unnamed individual’s system access was terminated just 24 hours after a tip off from a customer revealed they had “improperly accessed information in clear violation of our values, our culture, our policies, and our employment contracts.”
The employee appeared to have contacted seven customers between April 4 and June 23 2022 in an attempt to make extra money off resubmitted vulnerability disclosures.
The firm closed the employee’s accounts, terminated their employment, and is currently debating criminal prosecution.
The former HackerOne employee, who went by the handle “rzlr” in communications with customers, is said to have used “intimidating” language with them when anonymously disclosing vulnerabilities that had already been found and disclosed.
A study last year found that a third (33%) of reported data breaches involved someone with authorized access to the impacted data, although in most cases, this led to unintentional data loss rather than deliberately malicious activity.