Someone called it a “breach,” and the world took notice. Here is the story.
There is no trust without transparency. For us at HackerOne, it is a company value we live every day. Any valid vulnerabilities reported to HackerOne’s bug bounty program are always publicly disclosed once confirmed and resolved.
Few companies today elect to offer the same level of transparency. It may seem counterintuitive to publish when things go wrong. Disclosing resolved vulnerabilities can invite scrutiny and shame. The security challenges organizations face today are common, and by sharing this information with each other, we make the internet a safer place.
On November 24th, 2019, while reporting a vulnerability to HackerOne, a hacker had access for a short time to information relating to other programs running on the HackerOne Platform. Earlier this week, HackerOne publicly disclosed this vulnerability report. This report came in through our bug bounty program. It detailed a security vulnerability impacting HackerOne and less than 5% of our customer programs. No damage was done.
This vulnerability report was not a breach. There was no malicious intent, no unauthorized access, and no data was altered or disrupted. This was a bug bounty program in action. Eight minutes after the weakness was introduced, the hacker reported it. The internal team followed standard protocol to investigate the issue and implemented immediate and long-term fixes within hours.
The individual is not new to HackerOne; they are one of the top reporters on our bug bounty program. Since 2016, they have reported over one-hundred valid vulnerabilities. We appreciate their ongoing contributions to the security of HackerOne.
True community is only possible with transparency
The security community is tasked with building and maintaining trust. If we acknowledge that all software contains bugs, we must also recognize the only way to improve is to share knowledge. Threats to an emerging culture of disclosure also threaten the industry as a whole.
Security issues will always exist. By defaulting to disclosure, we aim to help set a new standard for how to respond. Many of our customers champion the same practice of disclosing their resolved vulnerabilities. Nearly 8,000 vulnerabilities have been publicly disclosed on Hacktivity to date, empowering everyone to learn from each other and grow.
HackerOne was built from the ground up with security as our top priority, learning from every disclosed report along the way. Since 2013, HackerOne is 350+ vulnerabilities safer thanks to the hackers who reported them. In addition to our ongoing bug bounty program, we proactively run multiple third-party audits annually as part of our comprehensive defense-in-depth security strategy. Even so, we know vulnerabilities will always exist, and our bug bounty program plays a crucial role in identifying these weaknesses. Security is a journey, not a destination, and we are safer with hackers on our side.
There is only one way to do security: Together
In the early days of building HackerOne, we had a saying: “Leave it better than you found it.” We hoped that the platform we were building would make even a small impact on the world through improved security and coordinated disclosure.
Many security teams face the same challenges, and it's impossible for one team to have the answers to everything. By pooling our knowledge, we can all help each other learn from our experiences and improve the overall health of the internet. We can leave the internet better than we found it.
We envision a world where ignoring vulnerability reports from hackers is viewed as negligent, security is collaborative, and transparency breeds trust. Public disclosures are an essential part of building a safer internet.
Security is a journey, not a destination. With this vulnerability report, and the fix that was promptly applied, the internet is more secure. And we are all safer with hackers on our side.