Comment by yieldcrv
4 months ago
HackerOne’s mediator dropped the ball here
They should absolutely inform a client company of a perceived threat, when they agree on the threat
Most of the person’s post and responses here are about Zendesk’s issue, but Zendesk was never informed
for a better PR response, I think now Zendesk could reward this after realizing it wouldnt have been disclosed first, and admonish HackerOne for not informing them and the current policies there
This is pretty common on H1, probably due to the amount of crap they receive.
If you are a new user expect your first couple reports to be butchered. It seems to me only reports from well known hackers gets carefully analysed.
> Most of the person’s post and responses here are about Zendesk’s issue, but Zendesk was never informed
It's not clear whether they were informed. The mediator's email says "after consultations with *the team*", which is likely referring to Zendesk's security team.
It anyways took Zendesk several months to fix the issue and they also didn’t acknowledge the author with what should be a very sizeable bounty. It’s not every day that someone tries to warn you about a massive security hole and then goes out of their way to warn your clients for you because you ignored them.
Zendesk was informed. OP specifically said they asked h1 to escalate to the company itself and the second email they present way from someone from Zendesk, who still rejected them, adding that this decision was made “after consulting with the team”.
Good catch