Comment by rendall

> ...they violated key ethical principles by directly contacting third parties about their report prior to remediation

According to the researcher, they only contacted 3rd parties after Zendesk rejected the disclosure as out of scope, as they are free to do.

If this timeline is incorrect, Zendesk should immediately correct the record. As it stands, accusing the researcher of violating ethical principles looks very bad for Zendesk. Perhaps even libelous.

That it affected Slack was a side-effect of the original bug, and not a new, previously undisclosed bug. Zendesk fixed the original bug, after rejecting the disclosure. Given all that, Zendesk is still ethically bound to honor the bounty, 3rd party disclosures notwithstanding.