Race condition leads to duplicate payouts

Congratulation Bulwarkers!!

Jigar Thakkar discovered a race condition issue with some recent changes to our payments code that caused him to be able to receive duplicate payouts for some bounties.

A number of variables and timing had to be just right for it to actually allow a malicious actor to exploit this and receive duplicate payouts. Note that the companies were never double-charged for these duplicate payouts, so this monetary loss only affected HackerOne.

We’re disclosing this under Limited Visibility due to multiple mentions of private programs, e-mail addresses, specific bounties, and other sensitive information that would be too difficult to accurately redact without distracting from the overall report.

Our bounty for this issue is actually $1000, but @jigarthakkar39 already received $250 of this due to his exploitation of this particular vulnerability. 🙂

Refer: https://hackerone.com/reports/220445

Leave a Reply

Your email address will not be published. Required fields are marked *