[BreachExchange] HackerOne's breach highlights security business partner risk

[Destry Winant]

https://www.ciodive.com/news/hackerone-data-breach-bug-bounty/568518/

Dive Brief:

Bug bounty platform HackerOne paid one of its community members a
$20,000 bounty after the individual was able to access a HackerOne
security analyst account, according to an incident report. No
malicious intent or activity was found and copies of the data were
deleted.

Human error led to a disclosed session cookie and the cookie wasn't
revoked until about two hours later. The hacker could "read all
reports," they said on Nov. 24 per the incident report. "It was a
happy white hacking for me."

The compromised data could have led to system access beyond HackerOne,
said Jobert Abma, cofounder of HackerOne, in a reply to the hacker.
The breach gave the hacker access to customer assets, including
vulnerability information, ability to pay bounties, modify program
details, and add users, according to the report.

Dive Insight:

Every company has customer data they have a duty to protect. While
some companies' customer data is consumers' personally identifiable
information, such as addresses and birth dates, HackerOne's customer
data is security flaws.

"We are just as at risk from external attacks as any other business,"
a HackerOne spokesperson told CIO Dive in an email. However, the
customer information HackerOne possesses could be detrimental to
businesses if leaked.

Businesses are forewarned about trusting partners in their ecosystem.
Companies have an extensive network of data aggregators, brokers and
service providers. Because of this complexity, to ensure bulletproof
security, companies would have to re-architect how they share data and
who controls it.

Microsoft found only 15% of firms have some degree of confidence in
their supply chain threat mitigation. Forty-three percent of firms
have zero confidence in their ability to protect their business from
risks from commercial business partners.

Companies, including HackerOne, Bugcrowd, FireEye and IBM X-Force, are
vital in threat detection, a tool companies need and sometimes
outsource.

Threat intelligence is sold as a value-add, "where companies collect
information about emerging threats, taking care, taking advantage of
emerging vulnerabilities," Chris Kennedy, CISO of AttackIQ, told CIO
Dive.

There will always be the risk of potentially exposing vulnerabilities
by the vendor that's tasked with finding them.

"Should a vulnerability be found, HackerOne's bug bounty program
offers a safe reporting channel so issues can be quickly resolved. As
with all vulnerabilities reported to the HackerOne Platform, we
investigated this issue and implemented immediate and long term
fixes," said the spokesperson.

Transparency in the cybsersecurity community is encouraged, but rarely shared.

"Bad guys almost do a better job of compounding their knowledge about
how to attack better than the defensive communities," said Kennedy.
HackerOne discloses all reported flaws on its platform. But before a
customer can patch its systems, it has too much to lose if information
is shared too quickly.