hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:
hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:
Regardless of everything else they should be kicked out from HackerOne since it’s clearly Zendesk not being truthful here.
They posted a link to their blog post down in the comments of the gist…
They failed to mention that the report was closed for being out of scope. Any reasonable person would expect that to mean a remediation was not coming. So really he didn’t give up his bounty because he wasn’t getting one to begin with.
Edit: cause autocorrect is dumb.
Sounds like they just didn’t want to pay this guy. That is so dumb as if they lose even a few customers they are going to be in negative. They should of paid him and then turned this into a PR positive.
“Sorry, but per your own guidelines this is out of scope. Because of this, this bug is not part of the agreement and guidelines on Hackerone. You can find my full disclosure, that I wrote after your dismissal here: <Link>” /s
I mean, that still allows zendesk to reply with “oh yeah that’s also why we’re not paying the bounty”
Well, they did it anyways, so…
Also this might work as an answer to “yeah, it’s a bug, but we won’t pay you”