Anecdotally I was snubbed at a younger age when the school district was looking for a security system to prevent manipulating school grades. My suggestion was to remove the disk pack (ok so it was a while ago) that contained student records while the students had access to the system via dialup, and replace it at night when the various accounting programs ran (attendance, grades, etc). Imagine my surprise when the contest ended with no winning solution, but oh by the way we've changed our policy and will not make the student grades data available during the day.<p>We did get them finally fess up that it was my suggestion which they had adopted and they gave me the prize (which was a $250 scholarship as I recall). But it has never ceased to amaze me that people don't think of security as holistically as they should.
Prezi's apparently trying to cover their posteriors in the wake of Shubham's disclosure and subsequent snub ( <a href="http://blog.shubh.am/prezi-bug-bounty/" rel="nofollow">http://blog.shubh.am/prezi-bug-bounty/</a> ).<p><i>"We greatly value this feedback."</i><p>Weak sauce. Shubham's disclosure saved Prezi from a future nightmare. If they're not going to pay him from the bug bounty coffers, they should at least try and sound more like grateful humans rather than a pissy HR department trying to do damage control.
This is a trite response to an actual concern: Placing scope limits on bug bounties is meaningless and dangerous. Hackers will not respect your scope. The scope of a bug bounty program should always be "Anything that affects our, or our users, data or security".<p>There's plenty of non-entities that get reported: Failures of XSS protections on data that is actually public, vulnerabilities on vendors sites that don't impact your data, etc. Those should be dealt with with a polite thank you. Everything else should be valid, and everything else should be paid. Possibly not high-tier paid. Have your security team (You don't have a security team? Make one, even if it's just the coder from your team who has the most experience) triage and report. Fix things, or don't, but don't be an asshole and try to downplay real issues.
I haven't been following this story that closely but I just don't understand why they don't pay him outside the bug bounty.<p>"Sorry this security hole wasn't in our bug bounty but we'd like to give you the reward anyway. Please sign these legal documents and let us know if you find anything else."<p>There is so much you can do by just being reasonable. Like if Prezi said they can't officially acknowledge it under the bug program but can just pay out some sort of reward it makes way more sense.<p>Besides. If the bug was in the code under a subdomain that someone exposed source code it would be the same thing.
Kudos to Prezi. They were not obligated to respond this way but they chose to, and I think it is the best response they could have made. I particularly like their statement that they would look to see whether anyone else had found volunteer abilities that also should be rewarded under the new program.
Why don't you just pay him for the service he provided you? Is your bounty that high that you can't afford to?<p>It seems the negative publicity you are getting is going to cost you more..
They are paying to Shubham. The original post is updated with the emails regarding that.
<a href="http://blog.shubh.am/prezi-bug-bounty/" rel="nofollow">http://blog.shubh.am/prezi-bug-bounty/</a>
I find it more respectable now that I see that Prezi actually posted a public blog post acknowledging their fault in their bounty program.<p>Still, I have to side with Shubham. They should at least reward him now.
The guy finds the company source code wide open and notify them and they treat him like that?<p>Whats up with those people ? They have lost their brain ? or is that inflated egos ?
The last time I checked Prezi was extremely buggy to the point of being unusable. So they should be very thankful for any bugs reported. Probably their app usability is the consequence of not responding to the user reports.<p>Are they still relying on adobe flash when everyone else moved on?