1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
gist.github.com
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies - zendesk.md

hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

  • JordanZ@lemmy.worldEnglish
    12·
    23 days ago

    They posted a link to their blog post down in the comments of the gist…

    We also want to address the Bug Bounty program associated with this case. Although the researcher did initially submit the vulnerability through our established process, they violated key ethical principles by directly contacting third parties about their report prior to remediation. This was in violation of bug bounty terms of service, which are industry standard and intended to protect the white hat community while also supporting responsible disclosure. This breach of trust resulted in the forfeiture of their reward, as we maintain strict standards for responsible disclosure.

    They failed to mention that the report was closed for being out of scope. Any reasonable person would expect that to mean a remediation was not coming. So really he didn’t give up his bounty because he wasn’t getting one to begin with.

    Edit: cause autocorrect is dumb.

    • Possibly linux@lemmy.zipEnglish
      4·
      22 days ago

      Sounds like they just didn’t want to pay this guy. That is so dumb as if they lose even a few customers they are going to be in negative. They should of paid him and then turned this into a PR positive.