Anecdotally I was snubbed at a younger age when the school district was looking for a security system to prevent manipulating school grades. My suggestion was to remove the disk pack (ok so it was a while ago) that contained student records while the students had access to the system via dialup, and replace it at night when the various accounting programs ran (attendance, grades, etc). Imagine my surprise when the contest ended with no winning solution, but oh by the way we've changed our policy and will not make the student grades data available during the day.
We did get them finally fess up that it was my suggestion which they had adopted and they gave me the prize (which was a $250 scholarship as I recall). But it has never ceased to amaze me that people don't think of security as holistically as they should.
Weak sauce. Shubham's disclosure saved Prezi from a future nightmare. If they're not going to pay him from the bug bounty coffers, they should at least try and sound more like grateful humans rather than a pissy HR department trying to do damage control.
I think that's a bit harsh. I read the full email exchange he posted at the end of his article[1], and they went to some length to explain their position at the end of that exchange, and while I and many other wish it was different, I find their position understandable. With any number of past security submissions already deemed inadmissible for a bounty based on being out of bounds, how do they justify doing it in this one case? I think they were heading this direction anyway, and if anything this just sped up the time frame.
So they screwed up in the past and those screw ups should be used to justify this one, their position is understandable but in any case they can use their discretion to make up for it and it should not take one person to blow something out of proportion and force them to make this change.
"To improve the program from now on we will reward bug hunters who find bugs outside of the scope provided that they do not violate our users’ information and that their report triggers us to improve our code base. We will also retroactively check to see if other reports found issues that fall into this category."
Whilst waiting for their response, I realised that I would rather not accept their “swag”, and decided to instead, send off an email indicating why I wished to walk away with nothing....
Anyways, they did try and get it right, by emailing me an apology as well as responding to my constructive criticism.
This is a trite response to an actual concern: Placing scope limits on bug bounties is meaningless and dangerous. Hackers will not respect your scope. The scope of a bug bounty program should always be "Anything that affects our, or our users, data or security".
There's plenty of non-entities that get reported: Failures of XSS protections on data that is actually public, vulnerabilities on vendors sites that don't impact your data, etc. Those should be dealt with with a polite thank you. Everything else should be valid, and everything else should be paid. Possibly not high-tier paid. Have your security team (You don't have a security team? Make one, even if it's just the coder from your team who has the most experience) triage and report. Fix things, or don't, but don't be an asshole and try to downplay real issues.
I think that oversimplifies the problem. I think a scope helps keep overeager researchers from doing things that result in legal problems for the company. For example, are laws that require notification of data breaches and personal identification triggered in certain cases? This isn't an academic setting, these are real businesses.
I think the best of both worlds would be very wide scopes with targeted limitations. Don't log into user accounts or company accounts at other services, but here's a few sample user accounts that are fair game and if it's an external service, here's a rep to vet whether credentials you gathered are correct or not.
No, I'm not going to agree. From Shubham's post it looks like they were already planning to expand the scope of their program in response to his findings. This is from their email to him on Nov. 4, a full month before his blog post:
First of all, we're still very thankful for pointing this issue out. The credentials you found were real threat. I
agree when you write it was easy to exploit.
[...]
When we created the terms and conditions, we tried hard to add every web app which we have impact on, and where a reported issue is a value for us. At that time we weren't thinking of leaked password or such. In the past we turned down the bounty request of people finding issues in out-of-scope services. We had a lot internal discussions about your request: if we were about to pay, we couldn't justify our out-of-scope decisions for anyone else.
It seems reasonable from that email to assume they were discussing this incident seriously and thinking about how this would affect future bug bounties. I am willing to give them the benefit of the doubt unless you have a strong reason otherwise. When the matter was private between them and Shubham they issued a private apology and explanation. Now that Shubham has made the issue public they have issued a public apology and explanation. This is an appropriate response, not just a PR move.
I haven't been following this story that closely but I just don't understand why they don't pay him outside the bug bounty.
"Sorry this security hole wasn't in our bug bounty but we'd like to give you the reward anyway. Please sign these legal documents and let us know if you find anything else."
There is so much you can do by just being reasonable. Like if Prezi said they can't officially acknowledge it under the bug program but can just pay out some sort of reward it makes way more sense.
Besides. If the bug was in the code under a subdomain that someone exposed source code it would be the same thing.
Kudos to Prezi. They were not obligated to respond this way but they chose to, and I think it is the best response they could have made. I particularly like their statement that they would look to see whether anyone else had found volunteer abilities that also should be rewarded under the new program.
really? I think they were obligated - in the interest of not losing face among the hacker community after Shubham's post. If anything this was just a PR move more than anything else.
It seems reasonable to assume that they will pay him:
To improve the program from now on we will reward bug hunters who find bugs outside of the scope provided [...] We will also retroactively check to see if other reports found issues that fall into this category.
The last time I checked Prezi was extremely buggy to the point of being unusable. So they should be very thankful for any bugs reported. Probably their app usability is the consequence of not responding to the user reports.
Are they still relying on adobe flash when everyone else moved on?
We did get them finally fess up that it was my suggestion which they had adopted and they gave me the prize (which was a $250 scholarship as I recall). But it has never ceased to amaze me that people don't think of security as holistically as they should.