HackerOne isn’t only a platform that is helping the businesses to stay safe. Rather, it also welcomes bug reports from the researchers for its own vulnerabilities too. Moreover, it also acknowledges the efforts of the researchers by awarding bounties. Recently, HackerOne awarded $3500 in bounties within two days to different researchers who reported information disclosure vulnerabilities affecting the platform.
HackerOne Information Disclosure Vulnerabilities
Reportedly, the popular cybersecurity platform HackerOne exhibited two different security flaws. Specifically, two different researchers found information disclosure vulnerabilities affecting different features of the platform.
The first of these vulnerabilities caught attention of the researcher with alias ‘nathand’. As elaborated in a HackerOne report, they found that searching specific words in Hacktivity exposed some private or redacted information through search results. According to the researcher,
By abusing this, an attacker could reveal content hidden in a limited disclosed report.
However, HackerOne clarified that this issue only affected some publicly disclosed reports. They also assured no exploitation of the bug. The vulnerability received a medium severity rating with a score of 4.4.
Another researcher with alias ‘ayid’ found the other vulnerability exposing information. As elaborated in another report, he noticed that latest_activity_id
and latest_activity_at
exposed internal discussion to unauthorized users. HackerOne rated this bug as ‘low’ severity flaw with a score of 3.4.
Researchers Won $3500 Bounties
HackerOne promptly acknowledged both the bugs and patched them. Not only the platform fixed the vulnerabilities, but it also awarded the researchers with bounties. Specifically, the researcher nathand received $2500, whereas ayid received $1000.
Following the fixes, HackerOne permitted public disclosure of the flaws.
HackerOne is a platform known for developing coordination between businesses and the cybersecurity community. The platform supports the firms to stay safe from potential cyber attacks, whereas the researchers also get the opportunity to make money through their efforts of finding vulnerabilities.
Let us know your thoughts in the comments.