Bug bounty denied? Hmmm ... OK, let's see ... - eviltoast

hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

  • Lvxferre@mander.xyz
    link
    fedilink
    English
    arrow-up
    7
    ·
    23 days ago

    My sides went into orbit!

    The way that the Github comment is phrased, it implies that the link contains additional info that hackermondev didn’t mention. It doesn’t - instead it contains a subset of that info, missing critical bits:

    1. That Zendesk initially dismissed hackermondev’s report.
    2. That the “third parties” in question were Zendesk’s clients.

    Both pieces of info were omitted to back up a lie present in the text, that the bug hunter would have “violated key ethical principles”. He didn’t - as he noticed that Zendesk gives no flying fucks about the security issue, and that remediation was unlikely, he warned the people affected by the issue, so they can protect themselves against it.

    Zendesk is not just being irresponsible - it’s also being manipulative, and doubling down instead of doing the right thing (“we incorrectly dismissed that report. It was our bad. Here’s your 2k.”) They have no grounds to talk about ethical principles.