Bug Bounty Research Triggers ServiceNow Security Alert
Dark ReadingArchived Jun 11, 2026✓ Full text saved
Bug bounty research inadvertently led organizations to believe they were being breached through their ServiceNow instances.
Full text archived locally
✦ AI Summary· Claude Sonnet
VULNERABILITIES & THREATS
APPLICATION SECURITY
CYBERATTACKS & DATA BREACHES
IDENTITY & ACCESS MANAGEMENT SECURITY
NEWS
Bug Bounty Research Triggers ServiceNow Security Alert
Bug bounty research inadvertently led organizations to believe they were being breached through their ServiceNow instances.
Alexander Culafi,Senior News Writer,Dark Reading
June 10, 2026
3 Min Read
SOURCE: JHVEPHOTO VIA GETTY IMAGES
ServiceNow warned that a vulnerability may have been used to target customer environments, but the company has since attributed this activity to bug bounty research.
The business workflow software company yesterday informed customers that, through a gated knowledge base article, the company detected anomalous activity related to a "security issue." The issue, which the company did not explicitly call a vulnerability, could allow greater access than intended. Moreover, an unauthorized user was able to successfully query certain instance tables belonging to a subset of ServiceNow customers.
The issue was addressed in a June 5 update, which was applied to hosted customer instances. In the initial knowledge base article, the only technical detail described was that "The security update changes an endpoint configuration to limit access to authenticated users."
"The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia," the company said. "If you have not received a case from us, then we did not observe such activity in connection with your instance and no action is currently required."
Related:Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet
Today, ServiceNow published an additional security notice, which is public facing, that clarifies that, based on the company's investigation, it believes "the observed activity is attributable to security researchers or customer research."
"On June 3-4, 2026, customers shared submissions to their bug bounty programs regarding a security issue that could, in certain circumstances, allow an unauthenticated user to gain unwanted access to information in ServiceNow instances," ServiceNow said. "These submissions were similar to a confidential submission sent to our bug bounty program on April 22, 2026."
Bug Bounty Researchers Mistaken as Threat Actors
ServiceNow said it is in contact with the researchers, who said activity was solely for bug bounty submissions, "and no data was used or retained."
"On June 7, 2026, two security researchers submitted a report to our bug bounty program. Based on our investigation to date, we have reason to believe the observed activity can be attributed to security researchers or customers conducting their own research," the notice read. "Our investigation is ongoing, however, and subject to additional validation. Because this research spanned multiple organizations, some of our customers may have received related bug bounty submissions from the same researchers."
Related:Blame AI: Patch Tuesday Hits Record 206 CVEs
An integral part of the security ecosystem, independent security research (often observed through bug bounties) covers a broad spectrum of activities. Unfortunately, the nature of independent research can, for one reason or another, cause a researcher to be mistaken as a threat actor. On the opposite end, threat actors can present themselves as researchers or penetration testers at times, and even organizations have presented attackers this way. At present, this may be a case where bug bounty research was mistaken for malicious activity.
Ensar Seker, CISO at SOCRadar, says this kind of situation is relatively uncommon, but not unprecedented.
"Most bug bounty researchers understand and respect program scope because their reputation, future participation, and potential rewards depend on following the rules," he tells Dark Reading. "However, in large cloud environments, the line between legitimate security research and unauthorized testing can sometimes become blurred, especially when researchers discover a path that unexpectedly leads beyond the intended target or reveals access to production resources."
A spokesperson for ServiceNow tells Dark Reading that ServiceNow applied a security update to hosted customers, that the company directly notified affected customers, and that the range of customers impacted "was not broad."
Related:Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address
About the Author
Alexander Culafi
Senior News Writer, Dark Reading
Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.
At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.
He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
VULNERABILITIES & THREATS
Cheap Hardware Module Bypasses AMD, Intel Memory Encryption
by Rob Wright
NOV 25, 2025
VULNERABILITIES & THREATS
Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs
by Jai Vijayan, Contributing Writer
NOV 11, 2025
VULNERABILITIES & THREATS
Microsoft Issues Emergency Patch for Critical Windows Server Bug
by Rob Wright
OCT 24, 2025
VULNERABILITIES & THREATS
350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE
by Nate Nelson, Contributing Writer
JUL 11, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
More Webinars
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT