Insider threat stories are always a bit intriguing. Organizations spend so much time worrying about threats from the outside world that when they come from within it's often a total surprise.
After all the facts about the situation are uncovered, you wonder what was going through that employee's mind? How did they think they could get away with it?
Vulnerability coordination and bug bounty platform HackerOne is asking that same question after it discovered a now former employee was stealing data from vulnerability reports and then resubmitting the same report for personal gain; basically, copying and pasting bug bounties for profit.
The company shared this statement, summarizing the incident:
"On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer.
Additionally, the submitter's disclosure was similar to an existing disclosure previously submitted through HackerOne. Bug collisions and duplicates, where multiple security researchers independently discover a single vulnerability, commonly occur in bug bounty platforms. However, this customer expressed skepticism that this was a genuine collision and provided detailed reasoning. The HackerOne security team took these claims seriously and immediately began an investigation."
HackerOne says its internal logging monitors employee access to customer disclosures for regular business operations. After analyzing the logs, it found that only one employee accessed each disclosure that the customer was suspicious of.
The HackerOne Security team concluded that the former employee "improperly accessed security reports for personal gain," clearly violating the company's policies. Within 24 hours, the company was able to quickly contain the incident and remotely lock the employee's laptop.
The company is still deciding whether criminal referral of this matter is appropriate.
It does seem pretty crazy that someone working for a company that handles bug bounties would think they could get away with something as bold as this, but hey, if you're not cheating, you're not trying—or so the saying goes.
How to handle an insider threat
While an unfortunate situation for HackerOne and the security researchers who actually put in the time to discover these vulnerabilities, it is a great example of how a company should go about handling an incident.
Jonathan Knudsen, Head of Global Research at Synopsys, applauds the effort from HackerOne:
"When something goes wrong, the best way forward is to limit the damage, correct the problem, and communicate clearly. HackerOne did all of these things in a recent insider threat incident.
Responding to a tip from a customer, HackerOne performed an expeditious investigation. They quickly identified a rogue employee, whose access was cut off and whose employment was terminated. HackerOne communicated to affected customers and also published details of the incident response in a public report. Finally, HackerOne detailed how they would improve their processes to lessen the risk of this type of incident in the future.
Security incidents are often viewed as embarrassing and irredeemable. While your first instinct might be to hide an incident, in fact, the exact reverse is the best course of action. Publishing details and showing leadership with a security-forward, proactive stance will only increase your credibility and earn the respect of your customers.
HackerOne has taken an insider threat incident and responded in a way that reassures customers that they take security very seriously, are capable of responding quickly and effectively, and are continuously examining and improving their processes."
Hopefully, other organizations see how HackerOne handled this situation and choose to follow a similar path when facing an incident, instead of trying to keep things quiet to avoid public backlash.