This is Part 2. Part 1 can be found here.
HackerOne’s Managed Triage
From what I understand of HackerOne’s managed triage, “Finders” (researchers) submit their findings to HackerOne, whose triagers/analysts review the submissions before the program it is written for ever sees anything. There is a clear potential for conflict and corruption in the system they use, at least as it was described to this site, because the people who get first glimpse at findings are also bug hunters in their own right, and could theoretically steal the findings or use the findings on other platforms to earn themselves bounties. And that’s precisely what Blindu and others claim has happened with HackerOne, even though they acknowledge that they do not have firm proof for some of their allegations.
As one example, Blindu claimed that some of his findings relating to HBO bugs were stolen by someone from HackerOne, who then reported his findings to to Samsung TV. Blindu told this site:
The bug itself was also quite big affecting all European servers. The HBO team probably remembers this bug because it was hard to find. It was via a Samsung tv app. So when I found this bug, I found a tv bug as well.
A triage guy stole my ideas and also was rewarded same time in Samsung.
To complicate matters even more, when the managed triage system was first introduced, Blindu claims that HackerOne staff did not make clear that it was they who were doing the triage — the resolutions appeared to be coming from the programs. Blindu says that he was surprised to get some aggressive responses that appeared to be from HBO. Only later did he find out that it was HackerOne staff.
Agreeing with Blindu on the conflict of interests/potential corruption aspect, Brazilian-based Rodolfo Assis (@rodoassis on Twitter) claims that HackerOne has made a very serious mistake by hiring people who are also bug hunters themselves and who can report their findings on the platform. There is no transparency, he says, regarding duplicates or “NA” decisions.
“Also, some of their current or past analysts are known for terrible incidents, including offense and theft of private material,” Assis claims. When DataBreaches.net asked him for an example or proof, Assis responded:
“I can prove it. I was the target of it. I will give you an example,” he wrote, pointing me to an interaction between Brute Logic (@brutelogic on Twitter) and @Yassineaboukir, a HackerOne analyst.
The specifics of that interaction aside as it is hard to tell exactly what originally happened just by reading the tweets, @Yassineaboukir’s profile tends to support the concerns raised by both Blindu and Assis:
Smoking beer and drinking weed. Wearing security analyst hat @Hacker0x01 by day and put on my hacking pants at night (http://hackerone.com/yassineaboukir )
So he – and presumably others – have access to what hackers are finding and submitting to HackerOne. And he or they could delay responding/deciding, and could decide “NA,” while at the same time taking the information and submitting it elsewhere under their own name.
The problems and accusations of corruption or potential corruption with respect to managed triage were also raised by a third researcher called @mslavco on Twitter. In a private chat with DataBreaches.net, he explained that he had submitted two reports to HackerOne, and one of them was a vulnerability affecting many endpoints of popular web applications.
“Jobert [a HackerOne co-founder] was rude with it and marked it as duplicate with silly issue old 4 years,” @mslavco claimed. When he demanded the reports be disclosed, Jobert continued to sit on the reports, he says. After four months, Jobert finally agreed it was a security issue.
And most important — when I request mediation ( they don’t have mediation request on their program ), he [Jobert] laugh at me….. As I said, the issue is original research by me and it is censored by them.
As far as @mslavco can determine, those may be the only reports HackerOne has actually censored, and he still wants them released so that the hacker community can weigh in on his research. [UPDATED below at end of story].
Is H1 Bad for the Hacker Community?
As serious as the managed triage concerns are, they are not Assis’s biggest criticism of HackerOne. He expressed significant concerns for what he alleges the platform is doing to the hacker community as a whole .
And one of the things that irritates him the most is how HackerOne founders consider their closest members (“the ones who go to their Herbalife-like events”) as the best hackers in the world. Assis sees that as an embarrassment to the larger hacker community as so many really high-level researchers do not attend HackerOne events and do not even participate in HackerOne.
“There is really something ROTTEN regarding the BB industry but specially HackerOne,” Assis tells DataBreaches.net. “They are making kids work for free or very few, stealing jobs from real infosec professionals.”
But as with Blindu, Assis notes that there was not unequivocal proof of some of his claims. And one of the most troubling claims or accusations, perhaps, is whether HackerOne knowingly helped Uber cover up an extortion payment to hackers and then lied to Congress. DataBreaches.net will have to leave that question to Congress to investigate.
One way to determine if HackerOne has made poor decisions is to get responses from programs they presumably serve. @mslavco claims that he actually went back to programs directly when he got unsatisfactory responses or negative responses from HackerOne.
So what was @mslavco told? Although he did not name the programs involved, @mslavco claims that after HackerOne had flagged one of his submissions as N/A after only a few hours, he contacted the program privately with his findings and they found it merited a bounty or reward, which is now listed on their site.
He also claims that four other issues he submitted to HackerOne for the same program remained in triage for 5 months (when normally, the company pays bounty within two weeks). He had also reported three 0days for the same program. Unhappy with HackerOne’s responses and slowness, he contacted the program directly.
“[The] program thanked me on (sic) email and told me they will work with H1 in order to fix their behavior towards me. Now program is taking a rest from h1,” @mslavco writes.
“Why isn’t there mediation/control towards H1 which would stop king mode behavior of H1 members/triage teams? Being in king mode, they put their client under threat and they are fracturing infosec community in many ways.” — @mslavco
The three researchers DataBreaches.net spoke with are adults trying to make a living through their research and findings. When HackerOne founders or analysts engage in questionable behavior or reach decisions the finders strongly disagree with, where is the unbiased or independent review or mediation? And if not unbiased or independent review, how about the programs themselves deciding in the event of a dispute?
“This cost me a lot,” @mslavco says, “from reputation and financial aspect… Only my report towards h1 would cause at least 10 more reports towards most popular programs…”
In response to questions from DataBreaches.net, HackerOne declined to answer some questions, but did state that they have 200 employees and that they have awarded hackers more than $42 million in bounties to date. They would not provide figures for their payouts for 2018, and would not comment on customer program inquires this site had included. Should they want to discuss any of the issues raised in this post, I would be happy to update or give them a chance to clarify points.
TheNextWeb has some information on bounty payouts last year, and some comparisons of different bug bounty platforms can be found on Gartner, IT Central Station, and Owler, among others.
But here’s the one thought I am left with after having spent so much time talking with these three researchers and hearing that at least one of them claims to be sitting on critical vulnerabilities for PayPal. If HackerOne bans solid researchers and big companies like PayPal, HBO, and others do not figure out a way to allow researchers to contact them outside of HackerOne, our data security has needlessly and — dare I say — negligently been left at risk.
If a platform is going to provide paid triage services for customers, and researchers really disagree with analysts’ opinions, there needs to be a way for the information to get to the program so that the company’s internal team can review the findings and make a decision. We should not all be at the mercy of people who wear two hats in their life that may conflict.
Update: After this article was published, I learned that while this article was in preparation, HackerOne did release @mslavco’s report on December 27, noting:
mslavco submitted a report to us that identified a way to extract certain information about reports. In our testing the method was not reliable enough to exploit this in the wild, which is why no fix was prioritized. In 2019 this endpoint will likely be deprecated and we’ll move to GraphQL to query the information. This new endpoint will require a token, which means it won’t be susceptible to the described attack. We’d like to thank mslavco for their report.
Even though we don’t publicly disclose reports that weren’t closed as Resolved, we’re making an exception here for transparency’s sake. Multiple accusations, by different actors, have been made of harassment, hate speech and discrimination by the reporter. We’ve investigated the accusations and determined that this was not the case.
Update 2: There have been some responsive comments on Twitter that programs always have the ability to view reports no matter what stage they are in. While theoretically that would be possible, if the customer configures their triage with HackerOne to have H1 do more triage, then realistically speaking, they will not be looking at all reports. Why did @mslavco have to go outside the platform to contact the programs when he disagreed with resolutions? Is a more robust appeal process needed?