HackerOne, a bug bounty platform, awarded a $20,000 bounty to a hacker outside its company. The company’s decision to award the amount follows after HackerOne accidentally provided the outside source access to its reports.
According to Ars Technica, the outside hacker was a member of the HackerOne community. To inform the vulnerability reporting platform, the individual, going by the username haxta4ok00, reached out to the firm. haxta4ok00 reportedly sent out selected parts of the customer bug reports and the cURL command to provide proof.
The cURL command released by HackerOne allowed users to access and modify select aspects of the report, says Ars Technica.
haxta4ok00’s message to the community dated November 24, 2019 states, “I can read all reports @security and more program.” The user once again wrote, “I found what is you can edit private program (for test) I have not changed anything and not used, all for the sake of hacking.”
Later on, the hacker wrote once more, saying “If you need proof, I can write a message.” Throughout the notices posted by the individual, Ars Technica says the user employed broken English.
Following the incident, HackerOne issued a fix for the session, approximately 7:11 in the morning. The firm was able to address the incident two hours after the report made by haxta4ok00.
After issuing the fix, company co-founder Jobert Abma said, “Something came up that we hadn’t asked you yet. We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?”
In response, haxta4ok00 said he called the attention of the firm to “show the impact” and extent of the incident. While well-meaning, Tech Radar notes that the explanation failed to satisfy Abma, who replied with another statement, “This became a bigger incident due to the amount of data that you accessed, not because it happened in the first place.”
The vulnerability reporting platform also launched an immediate investigation after being called out for their error. Moreover, the firm also released a report of the incident, which has been made available on their website.
Despite showing updates on the incident, HackerOne failed to disclose the number of users affected by the leak. It did, however, share that it had notified customers whose data may have been compromised.
Despite being reprimanded by the security firm, HackerOne still awarded haxta4ok00 $20,000 for its efforts.