Quite brazen that they are tweeting about reports after their termination date https://twitter.com/0xRzlr

Wow zero self-awareness

These will be one of those cases where the person will be surprised they landed in jail

>>The former employee's role was to triage vulnerability disclosures for numerous customer programs.

-

So this former empd access was specifically to assess and triage threats???

This isnt a simple "person"

This is a pot that has already reached out far.

Only an idiot would say " yep this little security breach is plugged"

-- NUMErOUS

So where are his reachings?

That one sentence alon should cost careers of 'cyber consultants'

WHO

WHAT

WHY

WHERE

WHEN

lets go back to basics here folks...

JEASUS

Where is the list of "numerous" customers...

I had 5 reports disclosed to me yesterday that were part of this incident (Im a security researcher).

None were marked as duplicates, so I dont think the employee tried to take credit for my work.

Im glad Hackerone decided to be transparent about this incident.

It’s always really funny when “security” companies have a centralized DB that grants tons of employees permissions to browse it. What were they thinking?

Could have been much worse.

[HackerOne CTO here]

There are certainly some important lessons for us to learn here but, just for clarity, this wasn't one of them. The data access in question here was central to the individual's daily job responsibilities and done through systems explicitly built for this purpose.