My $.02 on this is that Prezi should have not awarded the researcher the cash under the bug bounty program, however they should have given him a reward anyway. Awarding the money as part of the bug bounty wouldn't be fair play under the rules of that program, but he potentially saved them a TON of money and problems. As such, he should be rewarded somehow. Further, had he been less than honest, he may have been able to leverage the code itself to find more than one $500 bug.<p>I think Prezi should have done something like this:<p>* Acknowledge the problem and the seriousness of it<p>* offer a reward, but not under the bounty, just a "thanks"<p>* Have him sign an NDA about the source itself, and the specific details of the issue, and the amount of the award<p>* Allowed him to write up the experience should he choose (good PR for prezi)<p>* (maybe) offered a contract for the researcher to find more such issues, or announced a different program as a result of it.<p>The reasoning behind doing it outside the program is that Prezi needs to walk a fine line between saying "just attack everything and we'll pay you!", "we are too process driven for our own good", or they end up getting bad press from people who tried to follow the rules not getting anything, but cheaters are getting paid.
It <i>was</i> out of scope. The rules are pretty clear: <a href="http://prezi.com/bugbounty/" rel="nofollow">http://prezi.com/bugbounty/</a> and he broke at least two of them.<p>And it seems like he knew it was out of scope when he submitted it too: "I had spent a total of 2 hours sifting and crawling through their services which were <i>in scope</i>, but wanted to see if I could locate any <i>other</i> subdomains..."<p>Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me... but they aren't obligated to. You can put your pitchforks down.
Why even have a limited scope on bounty programs? (This is not the only time I've seen that.) Is it only to limit payout? Are their legal reasons? For example, their client tablet applications are ineligible. I just don't get the reasoning.<p>In their position, I'd pay him the $500 and remove the idea of scope. I'm just curious if there's some counter-argument I'm not thinking about.
There should be some neutral third party non-profit that adjudicates bug bounties so that security researchers don't need to worry that their efforts will go to waste.<p>Companies could sign on to using this third party and pay a fee and put up escrow for the service. This would motivate researchers to find bugs for those companies that utilize the service, knowing payment will be impartial.
What is the gain in setting up a "Can you hack us?" and then make some parts out of scope?! It's not like a black hat hacker would go "Oh well, this isn't their usual domain, so It's not fair" -.-<p>The only thing this causes is exceptionally bad PR, or even worse for the company; someone just got access and you don't know. Access to source code is like the gold mine of finding an exploit, because you will know exactly where a vulnerability is, and you won't even have to blindly test it.
Exhibit A of why having a scope for bug bounties is a terrible idea. What is the point of testing your app for esoteric bugs when your entire source code and passwords can be Google dorked?
I'm hp co-founder and CTO of prezi. We learn from our mistakes, we have changed the program: To improve the program from now on we will reward bug hunters who find bugs outside of the scope provided that they do not violate our users’ information and that their report triggers us to improve our code base. We will also retroactively check to see if other reports found issues that fall into this category. More info at engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bugbounty/
"Out of scope". Wow. Even more worthwhile that such a huge out of scope bug was found. These companies seem to try anything to keep from paying bug bounties.
Hi, I just thought I would update everyone on my experience and the last 12 hours.<p>At the time in which I found the bug and was not awarded for it, I was quite upset, evident from my tone in the email in which I decided that I did not want to receive any of their "swag", but rather give them some constructive criticism.<p>I wasn't expecting the blog post to get as noticed as it did, but as it has, I was able to observe great points on both sides of the argument of whether or not I should be received the bug bounty. These discussions were definitely required as they brought out some important issues with bug bounties today and how security issues should really be dealt with.<p>Prezi, has now both apologised to me and also have offered to pay me for my findings. I have updated my blog post to show this, as well as the emails exchanged between us. I'm glad that it ended this way - all within the last 12 hours.<p>Initially, I did not redact the developers names, and after the blog post became I had to rush to make sure that I had removed them from all places which were indexed by Google. My intention was not to negatively affect the careers of the Prezi developers affected from my findings.<p>I thank everyone here, and generally on the internet, for looking closer into my findings.<p>Thank you,
Shubham
Break the rules, don't get the money. Surprise!!?? After reading the entire email thread, I think Prezi comes out better off than the OP:<p><i>Actually we're continuously thinking on your case and struggling on the right move. On one hand, your finding was very useful for us, and we learnt a lesson from it. On the other hand, intra.prezi.com is out of scope, and by using the credentials to log in you violated the terms and conditions of our bounty program.</i><p>...<p><i>In the past we turned down the bounty request of people finding issues in out-of-scope services. We had a lot internal discussions about your request: if we were about to pay, we couldn't justify our out-of-scope decisions for anyone else.</i>
What this guy describes doing (using accidentally exposed credentials to log in to somewhere) is quite a bit more than what other people have been successfully prosecuted for violations of the CFAA for. I'd be careful.
"We're pretty sure your actions were taken in good faith". Ouch, their email response contained barely an iota of gratitude and it was almost on the verge of passing judgement on his character.
So let me get it straight, someone, aware of their bounty program or not, found their closed SOURCE CODE, and is getting a T-Shirt? How much do you value your own source code? at least 10,000$ right? ;) (probably much, much more) who cares about the scope, if someone found my wallet on the street which had 10,000$ in it, I would give them a bit more than a T-Shirt, I would buy them a whole wardrobe.<p>Think if someone found the source code for Windows / Office / Photoshop, without any bounty program, and responsibly disclosed it to the respective companies. If he didn't walk away with nice amount of money, he could easily just put it in the nearest torrent site* without even feeling guilty (*this is wrong, and illegal, don't do it)
Ignoring the bounty thing for a second, their email response "we think it was in good faith" seems... Not right to me. Am i reading that weird or did they seem pissed about him finding something like that?<p>He plugged a huge issue for them, and they screw him over due to "scope"... That's their choice, but it still seems bureaucratic to me.
I don't understand why companies start those bug bounties and later try to avoid paying out the rewards. If it were me, I'd book the reward amount as "spent" the minute I decided on a bug bounty hunt.<p>I think this is (yet another) lesson that participating in these kinds of bounty hunts is very risky and should only be done if the company is reputable (which this one apparently is not).
Seems like Prezi has changed its mind about not paying. Prezi being a Hungarian startup made a buzz in the local media with this story and one of the leader news site reached out to them and got this reply:
"Prezi: Hibáztunk és fizetni fogunk" witch means:
"We made a mistake, we will pay"<p>They also said that they will release a blog post and they will change the bounty program, so mistakes like this will not happen again (hopefully)
Wow, I hope you didn't send them your physical address after this. We often hear of companies sending the police after people trying to be helpful.
One wonders if he wouldn't have been better[1] off downloading their app source, and using that to find 'in-scope' vulns much easier than everyone else. They might catch on if you're too effective though. Maybe a spot of plausible parallel construction.<p>[1] Except for the totally illegal aspect, obviously. And the not-telling-them-their-source-is-open-to-the-world bit.
Presumably the goal of the bounty was to make Prezi more secure. OP found a serious security hole, without using a "violent" approach (spear phishing, cutting the power, etc). OP reported this security hole.<p>In a legal sense, they aren't obligated to pay. There are a lot of legal loop holes. By not paying for something that they obviously want to know, they are discouraging other security researchers to disclose "out of scope" holes. To what end?<p><i>If you succeed, we will give you cash. That’s right; we’ll pay cold hard currency into your bank account. Think of it as a thank you.</i> (Prezi bug bounty site)<p>I guess the right way to read this is as a (legal, of course) fuck you.
This sends a worrying message to others - in future don't bother reporting vulnerabilities to Prezi, just obtain the source and sell exploits to the highest bidder.<p>It's no wonder security researchers turn to black hat methods, when they're treated/compensated like shit for their effort. "Swag" in return for your source code? What a joke
I'm noticing yet another instance of HN modifying post titles. I originally titled this post "Finding Prezi's Source Code" specifically because I did not write the article. Now the post title reads (at first glance) as if I'm taking credit for the author's hard work.
I think they acted pretty fairly by pointing out that it's the logging in that they have issue with. Although it's not as satisfying, I think Shubham could have submitted the link and credentials to Prezi without actually accessing the repo. In particular, the report email contains the snippet "... I explored the nexus console to confirm that ..." and I can understand Prezi not wanting to encourage pen testers to explore their systems, even if they find them open to the world.
I suspect that the biggest reason is that this amazingly gigantic, critical vulnerability was so ridiculously easy to find that they cannot stand the idea of paying someone a large amount of money to "fix" it, when the fix is to simply deny access to that service from outside a LAN or whatever. Prezi thought that they found all of the easy ones. Not quite.
My problem here is that the OP did not mask the names. Actually he did quite the opposite: he bolded them. This is no good. I can imagine the dev searching for his name in google and finding that post.
This is definitely out of the scope of their "bughunt", although I think the guy should be rewarded anyway.<p>But I'm also quite upset with the fact that OP is outing the dev. Everybody makes mistakes, no need to out any individual developer because OP is pissed at the company management.
> "Anyways, they did try and get it right, by emailing me an apology as well as responding to my constructive criticism. This blog post, is by no means attempting to discourage people from participating from Prezi’s bug bounty, but rather just a blog post about how finding Prezi’s source code was not eligible for their bug bounty."<p>Passive aggressive much?<p>I think he should have got a bounty -- if not the official one, then a special, <i>bigger</i> one. However, this is an odd way to conclude the post. "Oh, I'm not at <i>all</i> trying to discourage others for participating, oh no no". Of course he's trying to discourage others. With justification. I don't get it.
This would be unethical and I would never do it, but the interesting scenario would have been if he'd secretly pulled the source code and used his access to it to find a bunch more bugs. He would look like a genius and pocket a bunch more money.
The rules seem to allow a reward for this kind of vulnerability,<p><i>What’s up with other vulnerabilities? ... we will consider if they are eligible for a bounty or not</i><p><i>What is the bounty? ... we will increase it at our discretion for distinctly creative or severe bugs</i><p>Prezi explicitly designed the rules to be flexible, so they could give the award in this case, but decided not to because "intra.prezi.com is out of scope".<p>The rules about scope appear to exclude vulnerabilities in 3rd-party services such as AWS, not backends, e.g., <i>the backends for our iPad and desktop applications are in scope</i><p><a href="http://prezi.com/bugbounty/" rel="nofollow">http://prezi.com/bugbounty/</a>
Here's the response from Prezi <a href="http://engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bugbounty/" rel="nofollow">http://engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bu...</a>
Here's the cached version of the commit: <a href="http://webcache.googleusercontent.com/search?q=cache:https://bitbucket.org/flash42/config/commits/1934298e907b95234dca40050a2d0f6f" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:https:/...</a><p>The Nexus Repositories URL (<a href="http://intra.prezi.com:8081/nexus/content/repositories" rel="nofollow">http://intra.prezi.com:8081/nexus/content/repositories</a>) is still not restricted
It would have been easy for him to steal the source code and blackmail them for bitcoins... companies are encouraging others to turn to the dark side by not giving fair rewards. I'm pretty sure there are lots of smart people living in difficult economic conditions who will now think twice before reporting a serious vulnerability at the risk of an unfair reward. If Synack can solve this it would be a major win for everyone.
What an asshole approach [1]. Please, next time someone find a critical bug in the system, don't bother emailing them; just post it on Twitter.<p>[1] <a href="http://i.imgur.com/v3W9FD6.png" rel="nofollow">http://i.imgur.com/v3W9FD6.png</a>
Don't worry about the bounty, here, have swag that freely advertises our company. Weak. Why should anyone put up with that?<p>Pay him something outside the bug bounty program. Easy and cheap solution that could've avoided all this mess.
A bounty program is to get 'white hat' hackers to find and report vulnerabilities. The bounty is small, nowhere near what an extortionist could charge to keep the source secret for instance.<p>By paying nothing for what could have been sold back to them for a huge sum, they may disaffect hackers, who could do them real harm. You become a sucker to volunteer for their 'bounty', and decide to turn to the dark side instead.<p>I think Prezi are very silly to be splitting hairs about this. They stuck the stick in the hornets' nest, now they are arguing with the hornets.
The guy found and brought to their attention a simple exploit that could have seen valuable source code released into the wild and the guys at Prezi are debating about paying him a bounty?<p>Does this mean that Prezi do not value their code and don't believe there would have been any significant loss if that code became public?<p>Are they saying that the next person that discovers serious flaws in their security should just keep quiet - or sell it on to some hacker, where at least they can make some money from it?<p>Just what message are the Prezi people trying to send by nit-picking over $500?
One trick to avoid stupidities like this is to tell them what you found, but not <i>how</i>.<p>How much is worth the vulnerability of having access to <i>all your source code</i>. Just ping me if you're interested.
Silly PR move on their part. They should've given this guy some shush money to prevent this (now) PR nightmare. Shoddy security practices, shoddy marketing and PR. Tsk, tsk.
In case anyone missed it: Prezi finally decided to pay him the bounty.<p>Still a bad move to have denied him the bounty in the first place, but good to see that they're listening to the outrage.
So the question I haven't seen asked in this thread is: Why is anyone still using something other than SSH to connect to their version control system? Why is any software still using usernames and passwords stored in plain text anywhere? With SSH, you create SSH key pairs and set a passphrase on the private key... which shouldn't end up in any public place, ever.
This policy of limiting security assessments/bug bounties to only certain things is really stupid.<p>Do you really think that any extremely motivated hacker would just stick to the arbitrary terms you set.<p>He will do whatever it takes to get in and by limiting security research you're making yourself vulnerable in other areas not defined in that assessment request.
Having stringent terms for a bug bounty program basically means you're trying to get the community to do your team's job. Agree with @nikcub - it should be wide open, because finding this out was huge, no matter how "simple" it may have been.
Prezi deserves to be boycotted for cheating Shubham out of his bounty based on stupid "out of scope" excuse.<p>If cracking an internal service is possible, a bug exploiting it should be within scope of any bounty program.
Bug bounty program or not, I would be pretty afraid to try to log into a source code repository without authorization to do so. It seems like a lawyer could really go after you for doing something like this.
The main point is the thing that OP found is really important for Prezi. I don't really understand why they have to figure out whether the vulnerability is in "the scope", or not.
So, the message they are sending is "if you find an 'out of scope' bug, sell it on the blackmarket because even if it could wreck havoc, we won't pay you for it."<p>Nice, nice.
Are bug bounties roughly the market value of security holes in software? I wonder if this guy or less scrupulous developers could make more for them on the black market?