Bug bounty startup HackerOne suffers breach after analyst mistake
Thursday, December 5, 2019
The company has now made changes to its security procedures. The researcher haxta4ok00 was also paid $20,000 for identifying and reporting the security issue.
“It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature,” Ilia Kolochenko, founder and chief executive of web security company ImmuniWeb, told SiliconANGLE. Other corrective measures,” he added, may also appear questionable, for example blocking access from specific countries.
“Security researchers may feel at least uncomfortable, if not embarrassed, in light of HackerOne’s persistent advertising of diversified and international crowd intelligence,” Kolochenko explained. “And importantly, sophisticated cybercriminals will bypass this ‘measure’ with the utmost of ease. Nonetheless, rapid and transparent disclosure of the incident by HackerOne serves as a laudable example to others and reminds us once again that humans are the weakest link.” Read Full Article
SecurityWeek: Hacker Accessed Private Reports on HackerOne
The Hacker News: Top 5 Cybersecurity and Cybercrime Predictions for 2020