Comment by oarla

4 months ago

The worse part:"We kindly request you keep this report between you and Zendesk". After being notified of a problem on their side, them ignoring it, now they want to keep things hush hush? That's exactly what the author did in the first place, but they chose to brush it aside. That itself is highly unprofessional. With such an attitude, I'm not surprised that they did not pay out the bounty.

The correct procedure when they fuck up and close the report is to ask the report to be made public. Had he done this, this would have been a non issue.

The reason people don't do this is because they think they have something that can be modified into another bug. Which is exactly what happened here.

“I will consider not disclosing if you compensate me for my time.”

  • You can't ask for money in exchange for not revealing a bug. That's blackmail which is illegal and ethically dubious.

    White hat hackers do not require companies to pay them in exchange for not revealing a bug---the reveal of a bug only happens if a company doesn't fix that bug. Companies can be jerks and refuse to pay anything. That doesn't give you the right to blackmail them---you and other security researchers can just refuse to help them in the future.

    A refusal to fix the vulnerability is what happened in the original blogpost, so it was fair game for release since the company doesn't care.

    Hackers that don't care about ethics or legality won't bother blackmailing companies with vulnerabilities. They'll sell or use the vulnerability to steal more important data, and blackmail companies for millions of dollars in crypto.

    • I don't think this is true. I'm not a lawyer and this is not legal advice, but I think it's hard to fit the elements of an extortion statute to a "threat" to disclose the results of technical research work you yourself did. Moreover, if a vendor is working with HackerOne, they've already implicitly consented to their norm of non-disclosure in exchange for payment. Further, in something like 15 years of bounty programs, I haven't heard of any cases like this having been filed --- and bounty researchers threaten to publish all the time.

      I also disagree that there's anything ethically dubious about it.

      1 reply →

    • To correct you, the revealing of a past bug happens almost all the time when a company does fix the bug- that’s what lets researchers publish their findings and show the work they do publicly, and usually gives the company some positive PR for showing their willingness and responsiveness to fix issues. See the CVE program.

    • Gotcha. The moment you attach a monetary condition it can be seen as extortion. In that case I believe the only responsible thing to do is disclose using customary, reasonable waiting periods.

    • "Since you don't consider this a vulnerability worth fixing, I feel obligated to let people know their zendesk might be misconfigured".