
A Bug in the Bug Bounty - veszig
http://engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bugbounty/
======
ChuckMcM
Anecdotally I was snubbed at a younger age when the school district was
looking for a security system to prevent manipulating school grades. My
suggestion was to remove the disk pack (ok so it was a while ago) that
contained student records while the students had access to the system via
dialup, and replace it at night when the various accounting programs ran
(attendance, grades, etc). Imagine my surprise when the contest ended with no
winning solution, but oh by the way we've changed our policy and will not make
the student grades data available during the day.

We did get them finally fess up that it was my suggestion which they had
adopted and they gave me the prize (which was a $250 scholarship as I recall).
But it has never ceased to amaze me that people don't think of security as
holistically as they should.

~~~
smtddr
In today's world, you'd be expelled...

[https://www.google.com/#q=expelled+for+reporting+security+bu...](https://www.google.com/#q=expelled+for+reporting+security+bug)

~~~
freehunter
Doubtful. He didn't say he had hacked the grades or accessed the information
in any way, just left a suggestion at the school's request.

------
MrZongle2
Prezi's apparently trying to cover their posteriors in the wake of Shubham's
disclosure and subsequent snub ( [http://blog.shubh.am/prezi-bug-
bounty/](http://blog.shubh.am/prezi-bug-bounty/) ).

 _" We greatly value this feedback."_

Weak sauce. Shubham's disclosure saved Prezi from a future nightmare. If
they're not going to pay him from the bug bounty coffers, they should at least
try and sound more like grateful humans rather than a pissy HR department
trying to do damage control.

~~~
kbenson
I think that's a bit harsh. I read the full email exchange he posted at the
end of his article[1], and they went to some length to explain their position
at the end of that exchange, and while I and many other wish it was different,
I find their position _understandable_. With any number of past security
submissions already deemed inadmissible for a bounty based on being out of
bounds, how do they justify doing it in this one case? I think they were
heading this direction anyway, and if anything this just sped up the time
frame.

1: [http://blog.shubh.am/wp-
content/uploads/2013/12/LetterLog_Pr...](http://blog.shubh.am/wp-
content/uploads/2013/12/LetterLog_Prezi.pdf)

~~~
vinu76jsr
So they screwed up in the past and those screw ups should be used to justify
this one, their position is understandable but in any case they can use their
discretion to make up for it and it should not take one person to blow
something out of proportion and force them to make this change.

------
GauntletWizard
This is a trite response to an actual concern: Placing scope limits on bug
bounties is meaningless and dangerous. Hackers will not respect your scope.
The scope of a bug bounty program should always be "Anything that affects our,
or our users, data or security".

There's plenty of non-entities that get reported: Failures of XSS protections
on data that is actually public, vulnerabilities on vendors sites that don't
impact your data, etc. Those should be dealt with with a polite thank you.
Everything else should be valid, and everything else should be paid. Possibly
not high-tier paid. Have your security team (You don't have a security team?
Make one, even if it's just the coder from your team who has the most
experience) triage and report. Fix things, or don't, but don't be an asshole
and try to downplay real issues.

~~~
kbenson
I think that oversimplifies the problem. I think a scope helps keep overeager
researchers from doing things that result in legal problems for the company.
For example, are laws that require notification of data breaches and personal
identification triggered in certain cases? This isn't an academic setting,
these are real businesses.

I think the best of both worlds would be very wide scopes with targeted
limitations. Don't log into user accounts or company accounts at other
services, but here's a few sample user accounts that are fair game and if it's
an external service, here's a rep to vet whether credentials you gathered are
correct or not.

------
C1D
Let's all agree that had Shubham not posted what had happened prezi wouldn't
have done anything. This is just a PR stunt to save face.

~~~
jdbernard
No, I'm not going to agree. From Shubham's post it looks like they were
already planning to expand the scope of their program in response to his
findings. This is from their email to him on Nov. 4, a full month before his
blog post:

 _First of all, we 're still very thankful for pointing this issue out. The
credentials you found were real threat. I agree when you write it was easy to
exploit._

[...]

 _When we created the terms and conditions, we tried hard to add every web app
which we have impact on, and where a reported issue is a value for us. At that
time we weren 't thinking of leaked password or such. In the past we turned
down the bounty request of people finding issues in out-of-scope services. We
had a lot internal discussions about your request: if we were about to pay, we
couldn't justify our out-of-scope decisions for anyone else._

It seems reasonable from that email to assume they were discussing this
incident seriously and thinking about how this would affect future bug
bounties. I am willing to give them the benefit of the doubt unless you have a
strong reason otherwise. When the matter was private between them and Shubham
they issued a private apology and explanation. Now that Shubham has made the
issue public they have issued a public apology and explanation. This is an
appropriate response, not just a PR move.

------
jtchang
I haven't been following this story that closely but I just don't understand
why they don't pay him outside the bug bounty.

"Sorry this security hole wasn't in our bug bounty but we'd like to give you
the reward anyway. Please sign these legal documents and let us know if you
find anything else."

There is so much you can do by just being reasonable. Like if Prezi said they
can't officially acknowledge it under the bug program but can just pay out
some sort of reward it makes way more sense.

Besides. If the bug was in the code under a subdomain that someone exposed
source code it would be the same thing.

~~~
garethadams
You've been following the story _so_ un-closely that you didn't even notice
that _this article_ says that's exactly what they _are_ doing

------
fourstar
Never even heard of Prezi before this. If anything, they should be thanking
this guy for all the free publicity.

~~~
nimble
That is if they're not paying him for it.

------
mcherm
Kudos to Prezi. They were not obligated to respond this way but they chose to,
and I think it is the best response they could have made. I particularly like
their statement that they would look to see whether anyone else had found
volunteer abilities that also should be rewarded under the new program.

~~~
kamakazizuru
really? I think they were obligated - in the interest of not losing face among
the hacker community after Shubham's post. If anything this was just a PR move
more than anything else.

------
fowkswe
Why don't you just pay him for the service he provided you? Is your bounty
that high that you can't afford to?

It seems the negative publicity you are getting is going to cost you more..

~~~
jdbernard
It seems reasonable to assume that they will pay him:

 _To improve the program from now on we will reward bug hunters who find bugs
outside of the scope provided [...] We will also retroactively check to see if
other reports found issues that fall into this category._

------
pelario
They are paying to Shubham. The original post is updated with the emails
regarding that. [http://blog.shubh.am/prezi-bug-
bounty/](http://blog.shubh.am/prezi-bug-bounty/)

------
infinitebattery
I find it more respectable now that I see that Prezi actually posted a public
blog post acknowledging their fault in their bounty program.

Still, I have to side with Shubham. They should at least reward him now.

------
hernan604
The guy finds the company source code wide open and notify them and they treat
him like that?

Whats up with those people ? They have lost their brain ? or is that inflated
egos ?

------
mbarrett
a blog? I actually expected this to be in a prezi.

A few months ago we launched a [Zoom/Pan] Bug Bounty Program

------
uladzislau
The last time I checked Prezi was extremely buggy to the point of being
unusable. So they should be very thankful for any bugs reported. Probably
their app usability is the consequence of not responding to the user reports.

Are they still relying on adobe flash when everyone else moved on?

