Journalists Bleeping computer drew attention to an interesting incident that occurred during the bug bounty of the Monero program on HackerOne. The researcher gave away the vulnerability discovered by another person and the exploit for it for his work and received a reward.
The publication notes that bug hunting is not just a good cause that benefits the community, but also a multimillion dollar industry. As a result, some may try to abuse platforms such as HackerOne and Bugcrowd, designed to foster ethics, trust and accountability among information security professionals, for their own financial gain.
Last weekend, cybersecurity specialist Guido Vranken discovered that one Everton Melo had used a copy of an exploit he had created to report vulnerability as part of the bug bounty Monero program on HackerOne. The vulnerability that Vranken found in the libzmq 4.1 series yet in 2019, was a fatal buffer overflow error (CVE-2019-6250). The researcher notified the developers about it in January 2019.
– Guido Vranken (@GuidoVranken) October 17, 2020
"Lol someone literally copied and pasted my libzmq + analysis exploit in the (HackerOne) bug bounty and took the money," Vranken wrote on Twitter.
Although HackerOne engineers have previously detected and closed plagiarized reports, there is always the possibility of accidental employee error. Currently, the Monero developers have already reported that they cannot return the amount already paid to the plagiarist:
“NB: This report was stolen (!!) from the original Guido Vranken vulnerability report without any mention of his merits. We overlooked the fact that the report was redrawn from there, as we focused on reproducing the problem and fixing it. This is incredible meanness. Please don't do this. We contacted Guido to pay him a reward and unfortunately we cannot withdraw Everton Melo's reward. ”
Interestingly, upon closer examination of the report, the developers identifiedthat the 4.1 series, apparently, is not affected by the CVE-2019-6250 problem, but it is definitely affected by the CVE-2019-13132 vulnerability, and therefore it was decided that Melo is still eligible for the reward. For the same reason, the title of the report on HackerOne was changed to CVE-2019-13132 instead of CVE-2019-6250.