Hacker infiltrates bug bounty platform HackerOne, whose clients include Instagram and Twitter, earns $20,000
In August this year, San Francisco-based HackerOne revealed that hackers earned $21 million in just a year by reporting vulnerabilities via various bug bounty opportunities. This is because governments' efforts to fix malware increased a whopping 214 per cent globally. Hacker-powered security is a technique that utilises collaboration with the hacker community to find unknown security vulnerabilities and reduce security risk. Popular examples include bug bounty programmes and vulnerability disclosure policies.
Facing an embarrassing situation, HackerOne, a bug bounty platform with clients like Starbucks, Instagram, Goldman Sachs, Twitter and Zomato, has paid $20,000 to a user who exposed a vulnerability in its own bug bounty platform. The user with the handle called "haxta4ok00" who has now been paid $20,000 by the establishment.
"A hacker had access for a short time to information relating to other programmes running on the HackerOne platform. Less than 5 per cent of HackerOne programmes were impacted, and those programmes were contacted within 24 hours of report receipt," HackerOne said in a statement.
The hacker, and HackerOne community member posted a report to the bug bounty platform: "I can read all reports @security and more programmes."
HackerOne responded: "We didn't find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?"
Haxta4ok00 said: "I did it to show the impact. I didn't mean any harm by it. I reported it to you at once. I was not sure that after the token substitution I would own all the rights. I apologise if I did anything wrong. But it was just a white hack." This method of white hacking is used by computer security specialists who break into protected systems and networks to test and asses their validity.
Food delivery platform Zomato has paid more than $100,000 (over INR 70 lakh) to 435 hackers to date for finding and fixing bugs on its platform. With the help of HackerOne's bug bounty programme since July 2017, Zomato has successfully resolved 775 vulnerabilities report.
*Edited from an IANS report.