← Back to context

Comment by junto

4 months ago

I help corporates evaluate and buy software. Having an ineffective bug bounty program, especially one that rewards black market activity on a terms & conditions technicality like this, is enough for me to put a black mark on your software services.

I don’t care if you’re the only company in the market, I’ll still blackball you for this in my recommendations.

Zendesk should pay up, apologize and correct their bug bounty program. After doing so, they should kindly ask the finder to add an update to this post, because otherwise it will follow them around like dogshit under their shoe.

9 comments

junto

Reply
exceptione  4 months ago

Yes, I think bounties in this class and with this impact should at least be six figures.

If a company loses 120 million a year to security bounties, they will take into account the cost of scrumming/rapid widget delivery.

moritonal  4 months ago

Would love to see the parts of the market where you've marked off every current option, given each would represent new business opportunities.

  • xyst  4 months ago

    Probably any SK company. Bounties are awful and only paid out to SK citizens. Everyone else gets a pat on the back for being a sucker.

yieldcrv  4 months ago

HackerOne’s mediator dropped the ball here

They should absolutely inform a client company of a perceived threat, when they agree on the threat

Most of the person’s post and responses here are about Zendesk’s issue, but Zendesk was never informed

for a better PR response, I think now Zendesk could reward this after realizing it wouldnt have been disclosed first, and admonish HackerOne for not informing them and the current policies there

  • daghamm  4 months ago

    This is pretty common on H1, probably due to the amount of crap they receive.

    If you are a new user expect your first couple reports to be butchered. It seems to me only reports from well known hackers gets carefully analysed.

  • richbell  4 months ago

    > Most of the person’s post and responses here are about Zendesk’s issue, but Zendesk was never informed

    It's not clear whether they were informed. The mediator's email says "after consultations with *the team*", which is likely referring to Zendesk's security team.

    • hmottestad  4 months ago

      It anyways took Zendesk several months to fix the issue and they also didn’t acknowledge the author with what should be a very sizeable bounty. It’s not every day that someone tries to warn you about a massive security hole and then goes out of their way to warn your clients for you because you ignored them.

  • M4v3R  4 months ago

    Zendesk was informed. OP specifically said they asked h1 to escalate to the company itself and the second email they present way from someone from Zendesk, who still rejected them, adding that this decision was made “after consulting with the team”.