1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
gist.github.com
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies - zendesk.md

hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

  • troed
    842 months ago

    Despite fixing the issue, Zendesk ultimately chose not to award a bounty for my report. Their reasoning? I had broken HackerOne’s disclosure guidelines by sharing the vulnerability with affected companies

    Regardless of everything else they should be kicked out from HackerOne since it’s clearly Zendesk not being truthful here.

    • Elvith Ma'forEnglish
      412 months ago

      I couldn’t help but find it amusing—they were now asking me to keep the report confidential, despite having initially dismissed it as out of scope.

      “Sorry, but per your own guidelines this is out of scope. Because of this, this bug is not part of the agreement and guidelines on Hackerone. You can find my full disclosure, that I wrote after your dismissal here: <Link>” /s

      • @[email protected]English
        52 months ago

        I mean, that still allows zendesk to reply with “oh yeah that’s also why we’re not paying the bounty”

        • Elvith Ma'forEnglish
          42 months ago

          Well, they did it anyways, so…

          Also this might work as an answer to “yeah, it’s a bug, but we won’t pay you”

    • @JordanZEnglish
      342 months ago

      deleted by creator

      • Possibly linuxEnglish
        42 months ago

        Sounds like they just didn’t want to pay this guy. That is so dumb as if they lose even a few customers they are going to be in negative. They should of paid him and then turned this into a PR positive.