Comment by ldoughty
4 months ago
I hate that Zendesk refused to pay out for this bug. The author made a good faith effort to report it. The author also tried to escalate it.
After they decided not to work on it, they later came back and asked him for more information and treat it like a bug...
Author should have gotten a reward. Did everything right if Zendesk claims it's not a in scope bug.
That is how it works. Do nothing so that the researcher breaks the rules innadvetedly as an excuse to not pay, and then fix the problem.
Doubtful. It's probably just incompetence, rather than malice.
The incident almost certainly cost Zendesk more in (according to the gist) lost contracts and reputational damage than it would've cost to pay the security researcher a bounty.
Or just fix the problem and not pay the bounty. Why pay at all if you can find a way not to?
1 reply →