Comment by m11a
4 months ago
Doubtful. It's probably just incompetence, rather than malice.
The incident almost certainly cost Zendesk more in (according to the gist) lost contracts and reputational damage than it would've cost to pay the security researcher a bounty.
Or just fix the problem and not pay the bounty. Why pay at all if you can find a way not to?
Risk of bad rep when the researcher reports to HN or makes some noise. Then future security researchers don’t try find issues on your platform, and it’s more insecure as a result.
For a sensible large company, it’s not worth being stingy over (relative) pennies. They waste money like it’s water. They might as well spend where it matters. Bug bounties won’t even show on their bottom line, but cleanup for an exploited issue will.