Comment by ZendeskTeam

> We also want to address the Bug Bounty program associated with this case. Although the researcher did initially submit the vulnerability through our established process, they violated key ethical principles by directly contacting third parties about their report prior to remediation.

What was the planned response for addressing the vulnerability reported through the Bug Bounty program, and how did the plan change after the researcher escalated the issue directly to Zendesk before remediation was completed?

> ...they violated key ethical principles by directly contacting third parties about their report prior to remediation

According to the researcher, they only contacted 3rd parties after Zendesk rejected the disclosure as out of scope, as they are free to do.

If this timeline is incorrect, Zendesk should immediately correct the record. As it stands, accusing the researcher of violating ethical principles looks very bad for Zendesk. Perhaps even libelous.

That it affected Slack was a side-effect of the original bug, and not a new, previously undisclosed bug. Zendesk fixed the original bug, after rejecting the disclosure. Given all that, Zendesk is still ethically bound to honor the bounty, 3rd party disclosures notwithstanding.

Extremely poor response. You can't blame him for contacting others affected when you marked it as out of scope. And yet you fail to mention that in your blog post..

Other than violating the Bug Reporting program how else would it have been fixed given you failed to recognise the issue?

Are you yourself not at fault for forcing him to violate the terms in order to protect your customers?

Wild response. It appears you did not learn a single lesson through this process.

You didn't provide details, you provided a defense, which is weak at best.

this is a horrible response. just upvoting so more people can see this mess.

1. "While this specific issue has been resolved", that was a bug, not an issue.

2. "they violated key ethical principles by directly contacting third parties about their report prior to remediation", what is a violation of ethical principles is to know about a security failure in your application and ignore it, leaving customers at risk, can't wait for some law to pass so people who behave like that face consequences.

3. "We have no evidence that this vulnerability was exploited by a bad actor.", tldr, it don't fixed it until some vendor dropped us, because before that happened, it was cheaper to ignore it.

This response looks really bad for ZenDesk.

This is blatant dishonesty- the post documented in detail that the reward had already been denied, and the issue ignored multiple times before they contacted 3rd parties. That is not an ethical violation but an ethical necessity- after ZenDesk refused to act, they had an ethical responsibility to inform everyone affected.

This alone is a huge red flag that ZenDesk isn't a trustworthy organization, on top of trying to hide rather than correct security issues unless they get bad press.

If I were ZenDesk, I would pay out the bounty to this kid immediately, and release a detailed public apology explaining how the entire bounty review system has been revamped to take things like this much more seriously in the future.

Terrible response. Your team should do a retrospective on its retrospective.

This response is worse than no response at all.