The bug bounty platform employee had access to reports received by HackerOne and allegedly used this information to earn rewards from companies.
The bug bounty platform HackerOne allows companies to manage their bug bounties. When an ethical hacker reports vulnerabilities to the platform, HackerOne checks what is going on, and sees whether and how much the hacker can be paid for the report.
Depending on the severity of the vulnerability, that could cost thousands to millions of dollars. The platform works for large companies such as Microsoft, Google, Nintendo, PayPal, Slack and Twitter.
But HackerOne itself now appears to be plagued by a threat in its own ranks. The platform reports on its website that an employee who has been fired in the meantime incorrectly consulted the security reports of the platform. He would then leak that information to companies outside of HackerOne to collect bug bounties.
The employee, who had access to the systems between April 4 and June 22, was in contact with seven companies and is said to have claimed a series of rewards there. The employee has since been fired and HackerOne says it is taking measures to prevent similar incidents in the future.