
I found Prezi's source code - psychboo
http://blog.shubh.am/prezi-bug-bounty/
======
sophacles
My $.02 on this is that Prezi should have not awarded the researcher the cash
under the bug bounty program, however they should have given him a reward
anyway. Awarding the money as part of the bug bounty wouldn't be fair play
under the rules of that program, but he potentially saved them a TON of money
and problems. As such, he should be rewarded somehow. Further, had he been
less than honest, he may have been able to leverage the code itself to find
more than one $500 bug.

I think Prezi should have done something like this:

* Acknowledge the problem and the seriousness of it

* offer a reward, but not under the bounty, just a "thanks"

* Have him sign an NDA about the source itself, and the specific details of the issue, and the amount of the award

* Allowed him to write up the experience should he choose (good PR for prezi)

* (maybe) offered a contract for the researcher to find more such issues, or announced a different program as a result of it.

The reasoning behind doing it outside the program is that Prezi needs to walk
a fine line between saying "just attack everything and we'll pay you!", "we
are too process driven for our own good", or they end up getting bad press
from people who tried to follow the rules not getting anything, but cheaters
are getting paid.

~~~
AGuyNamedChris
>Further, had he been less than honest, he may have been able to leverage the
code itself to find more than one $500 bug.

I'm not sure I agree with this particular argument, it essentially reduces the
concept of a bug bounty to blackmail. This mindset is not a constructive one.

The tester should get rewarded for their hard work and helpfulness, not the
decision to follow the law.

~~~
Ensorceled
I think he meant scan the source code for security issues and then report
those bugs one by one ...

~~~
sophacles
That is what I meant, I should have been more clear.

~~~
Dylan16807
How is that dishonest? It sounds like a great way to improve security and get
bounties.

~~~
antoinec
I'm sure (paying) customers will be totally fine with Prezi's source code
being available to anyone that want to try to hack the site.

~~~
Dylan16807
I fail to see how that has anything to do with honesty. The source was leaked
accidentally.

------
eli
It _was_ out of scope. The rules are pretty clear:
[http://prezi.com/bugbounty/](http://prezi.com/bugbounty/) and he broke at
least two of them.

And it seems like he knew it was out of scope when he submitted it too: "I had
spent a total of 2 hours sifting and crawling through their services which
were _in scope_ , but wanted to see if I could locate any _other_
subdomains..."

Now I think Prezi should probably have paid him anyway because that's a pretty
boneheaded error and I'd be very grateful if someone politely pointed it out
to me... but they aren't obligated to. You can put your pitchforks down.

~~~
duiker101
So because it was out of scope it means that it could not have harmed the
company so he should have just left it there?

~~~
lmm
You're not entitled to a bounty just because you found a bug. Some companies
offer these bounties and it's good that they do, but that doesn't mean every
company is obliged to offer them, or that a company that offers bounties for
some bugs is obliged to offer them for all bugs.

~~~
shubhamjain
How about a moral obligation? Honestly, it sounds like if a taxi driver
returns a bag full of cash to the owner, it is perfectlly alright if they just
say "Thank you" and walk him to the road. Legally: nothing wrong, morally:
being a greedy asshole.

~~~
kbenson
That's an interesting point of view. I consider it being a greedy asshole when
you feel entitled to a reward for doing the right thing.

~~~
iwwr
It should absolutely be in the interest of companies to reward security
researchers who find flaws in their systems. Otherwise, they will be screwed
by the less scrupulous.

~~~
kbenson
We are talking about different things. Sure it's in the company's best
interest, just as it is in the interest of someone that loses their wallet to
offer a reward. That said, when nothing is offered up front (possibly because
the problem is unknown), to feel _entitled_ to a reward and disgruntled when
one isn't offered is not what I would call "moral" behavior, as brought up
farther up-thread.

It's moral when you do it because it's obviously the right thing for everyone
involved. When there's money involved, that's something else.

~~~
pyre
Just because you're complaining doesn't mean you feel entitled. If someone is
rude to me and I complain about it, and I expressing that I feel _entitled_ to
have non-rude interactions with this person? If I post a negative book review
am I feeling _entitled_ to a good book?

~~~
kbenson
But is it rude for someone to not monetarily reward you for doing something
good? That's what I was replying to up-thread. To feel you deserve
compensation for a good deed when there was no prior agreement as such is
indeed entitlement.

This thread hasn't really been about the article for a while. It's been about
someone feeling that people that don't reward for good deeds are greedy
assholes, which I think sets a bad precedent. If you want to incentivize fine,
but let's not confuse that with what the _right thing to do_ is.

 _How about a moral obligation? Honestly, it sounds like if a taxi driver
returns a bag full of cash to the owner, it is perfectlly alright if they just
say "Thank you" and walk him to the road. Legally: nothing wrong, morally:
being a greedy asshole._

Edit: Fixed truncated second paragraph.

------
toddmorey
Why even have a limited scope on bounty programs? (This is not the only time
I've seen that.) Is it only to limit payout? Are their legal reasons? For
example, their client tablet applications are ineligible. I just don't get the
reasoning.

In their position, I'd pay him the $500 and remove the idea of scope. I'm just
curious if there's some counter-argument I'm not thinking about.

~~~
eli
Well of course there have to be rules. Does spear phishing employees email
accounts and using their password to access control panels count as a bug? I
bet I could hack a lot of companies that way. Does being susceptible to a
massive DDoS count as a bug? Cutting power to the building?

I can't speak for Prezi, but it seems like they want people to test the
security of their app, but not of their employees or back office
infrastructure. Maybe you disagree, but it's their bounty and I think those
are fair rules.

~~~
nostrademons
Large tech companies routinely run pentest exercises against themselves that
involve phishing their own employees. Good security has to include educating
the human element as well: if you have great technical security but all you
have to do to get in is ask an employee their password, you've lost.

Large companies also invest significantly in protection against massive DDoS
and power cuts to the building, along with drills for earthquakes and zombie
apocalypses.

~~~
eli
I wasn't trying to say those things aren't really security problems... just
that they perhaps aren't things you'd want random people on the internet
attempting to exploit.

------
colinbartlett
There should be some neutral third party non-profit that adjudicates bug
bounties so that security researchers don't need to worry that their efforts
will go to waste.

Companies could sign on to using this third party and pay a fee and put up
escrow for the service. This would motivate researchers to find bugs for those
companies that utilize the service, knowing payment will be impartial.

~~~
christianh
A simple option is CrowdCurity - reward programs as a service. Private or
public, dollars or bitcoin payments - everything setup and managed for the
companies.

[https://www.crowdcurity.com/](https://www.crowdcurity.com/)

Disclosure: I'm co-founder of CrowdCurity

~~~
xerophtye
You know, you are just harming yourself this way. If you must show your stuff
on HN, why not post it as a ShowHN?? why do this dishonorable thing to gain
attention? IMO it actually harms you.

~~~
xerophtye
a down vote? :O but why? i thought we were unanimously against plugs?

~~~
vvvVVVvvv
You didn't get the memo ? There's no such thing as a single we anymore.

------
Systemic33
What is the gain in setting up a "Can you hack us?" and then make some parts
out of scope?! It's not like a black hat hacker would go "Oh well, this isn't
their usual domain, so It's not fair" -.-

The only thing this causes is exceptionally bad PR, or even worse for the
company; someone just got access and you don't know. Access to source code is
like the gold mine of finding an exploit, because you will know exactly where
a vulnerability is, and you won't even have to blindly test it.

~~~
gabemart
> What is the gain in setting up a "Can you hack us?" and then make some parts
> out of scope?! It's not like a black hat hacker would go "Oh well, this
> isn't their usual domain, so It's not fair" -.-

This suggests that anything less than perfect security is worthless. Which is
better, having pentesters look for vulnerabilities in 50% of your surface
area, or having pentesters look for vulnerabilities in 0% of your surface
area?

Setting up a bug bounty program has a cost, both in terms of processing the
data submitted and in potential disruption of the provision of services. This
cost will differ from attack vector to attack vector. Having pentesters dress
up as utility workers and attempt to sneak into your company offices to
install keyloggers will have an extremely high cost in terms of disruption.
This cost may be higher than the potential benefit of learning about the
company's vulnerabilities in this area.

There are also some attack vectors that may be problematic to allow pentesters
to probe due to third-party contracts, data protection laws, compliance
issues, etc.

You may disagree with the particular areas a company chooses to define as out-
of-scope, but to claim that having any areas off-limits renders the whole
enterprise pointless is reductive and incorrect.

~~~
r-s
> This suggests that anything less than perfect security is worthless. Which
> is better, having pentesters look for vulnerabilities in 50% of your surface
> area, or having pentesters look for vulnerabilities in 0% of your surface
> area?

Is this supposed to be rhetorical?

Say you buy a really good front door for your house, and forget to put a back
door on your house. I would say that testing the security of the front door is
a waste of time.

~~~
csallen
You should read the rest of that post instead of stopping at the point you
quoted. I think he makes a good point: There are real costs associated with
expanding security, and there are points at which those costs _can_ become
unreasonably high.

I think your point is too extreme. Locking your front door is most definitely
NOT a waste of time, because with that move alone, you've automatically
protected yourself against the subset of attackers who don't think to try the
back door. Are you still vulnerable? Yes, of course. But decidedly less so. As
the OP said, 50% is better than 0%.

The real conversation that should be taking place is not whether or not a
limited scope should exist (it should), but how far that scope should extend
given the costs of extending it.

------
nikcub
Exhibit A of why having a scope for bug bounties is a terrible idea. What is
the point of testing your app for esoteric bugs when your entire source code
and passwords can be Google dorked?

~~~
mtrimpe
Or for expanding the scope when you realize it's obviously too narrow.

------
halacsy
I'm hp co-founder and CTO of prezi. We learn from our mistakes, we have
changed the program: To improve the program from now on we will reward bug
hunters who find bugs outside of the scope provided that they do not violate
our users’ information and that their report triggers us to improve our code
base. We will also retroactively check to see if other reports found issues
that fall into this category. More info at
engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bugbounty/

~~~
agrias
This should be up-voted some more so people can see the resolution. I'm glad
you guys decided to reward the bug hunter for his time as well as provide a
response.

------
ddoolin
"Out of scope". Wow. Even more worthwhile that such a huge out of scope bug
was found. These companies seem to try anything to keep from paying bug
bounties.

~~~
gnur
To be fair, there was a scope set, and the author was fully aware of it:

> I had spent a total of 2 hours sifting and crawling through their services
> which were in scope, but wanted to see if I could locate any other
> subdomains, with the assistance of google.

While I agree that he most certainly found a "bug" (perhaps flaw would be a
better word), it was out of scope. And using credentials from an employee to
log in is nearly always out of scope.

~~~
3JPLW
That said, he could have gone "gray-hat" and used the source to find in-scope
bugs. Such a resource would be invaluable to an exploit author or bug bounty
hunter.

~~~
eli
Legally, I don't think there's much "gray" in stealing source code that
doesn't belong to you.

~~~
shawabawa3
> Legally, I don't think there's much "gray" in stealing source code that
> doesn't belong to you

I thought the whole point of gray hat is that it's possibly illegal, but not
downright "evil".

i.e. Stealing source code to fix bugs = gray, stealing source code to steal
credit card info = black

~~~
meowface
You're right, but it will still get you into legal trouble. Not only may you
not get a bounty, but they might sue or press charges for essentially copying
and scanning their source code.

Generally "gray hat" and "corporation/law-friendly" don't mix, even if there
are some cases that call for it.

------
infosec_au
Hi, I just thought I would update everyone on my experience and the last 12
hours.

At the time in which I found the bug and was not awarded for it, I was quite
upset, evident from my tone in the email in which I decided that I did not
want to receive any of their "swag", but rather give them some constructive
criticism.

I wasn't expecting the blog post to get as noticed as it did, but as it has, I
was able to observe great points on both sides of the argument of whether or
not I should be received the bug bounty. These discussions were definitely
required as they brought out some important issues with bug bounties today and
how security issues should really be dealt with.

Prezi, has now both apologised to me and also have offered to pay me for my
findings. I have updated my blog post to show this, as well as the emails
exchanged between us. I'm glad that it ended this way - all within the last 12
hours.

Initially, I did not redact the developers names, and after the blog post
became I had to rush to make sure that I had removed them from all places
which were indexed by Google. My intention was not to negatively affect the
careers of the Prezi developers affected from my findings.

I thank everyone here, and generally on the internet, for looking closer into
my findings.

Thank you, Shubham

------
j_s
Break the rules, don't get the money. Surprise!!?? After reading the entire
email thread, I think Prezi comes out better off than the OP:

 _Actually we 're continuously thinking on your case and struggling on the
right move. On one hand, your finding was very useful for us, and we learnt a
lesson from it. On the other hand, intra.prezi.com is out of scope, and by
using the credentials to log in you violated the terms and conditions of our
bounty program._

...

 _In the past we turned down the bounty request of people finding issues in
out-of-scope services. We had a lot internal discussions about your request:
if we were about to pay, we couldn 't justify our out-of-scope decisions for
anyone else._

~~~
jessaustin
_...if we were about to pay, we couldn 't justify our out-of-scope decisions
for anyone else._

What, are we in kindergarten? Does Prezi not have managers entrusted with
taking decisions? They can run their bounty program however they want.

That they choose to run it in this fashion sends several messages in addition
to the obvious, "we are obnoxious miserly prats". While hackers in white hats
might be hearing "concentrate your efforts elsewhere", those in black hear
exactly the opposite message. Many people who might previously have admired
Prezi for their innovation and paid them money for their services, have now
heard a reason to find other means to create presentations. Potential
acquirers and potential hires have heard that this company's management finds
running a bounty program challenging.

EDIT: Maybe I'm being too harsh. Apparently this is a largely Hungarian
company; it's possible there are cultural misunderstandings in play. From a
(perhaps cliched?) American perspective, however, following the rules is less
important than accomplishing the goals of the program.

------
nezza-_-
Bad judgement call on the site of Prezi imho. He didn't abuse it and notified
them immediately after verifying his finding as it seems.

~~~
Vivtek
And they sat on the decision until he pestered them. Not good at all.

------
jrochkind1
What this guy describes doing (using accidentally exposed credentials to log
in to somewhere) is quite a bit more than what other people have been
successfully prosecuted for violations of the CFAA for. I'd be careful.

~~~
Vivtek
You mean that Prezi, a Hungarian company, would prosecute the author, an
Australian, under an American law?

The Internet isn't just something happening in the United States.

~~~
foldr
It's a fair point, but a lot of other countries have similarly strict laws.

~~~
Vivtek
Hungary doesn't. I live here.

~~~
foldr
Really? According to this monograph even logging into a non-password-protected
wifi network which doesn't belong to you has been treated as a case of theft
in Hungary:

[http://books.google.ca/books?id=ZjBvpN0zZNkC&lpg=PA33&ots=Uq...](http://books.google.ca/books?id=ZjBvpN0zZNkC&lpg=PA33&ots=UqvV5tuTyB&dq=cybercrime%20laws%20in%20hungary&pg=PA260#v=onepage&q&f=false)

Not exactly the same situation, but it suggests that the law is fairly strict.

------
hablahaha
"We're pretty sure your actions were taken in good faith". Ouch, their email
response contained barely an iota of gratitude and it was almost on the verge
of passing judgement on his character.

------
eranation
So let me get it straight, someone, aware of their bounty program or not,
found their closed SOURCE CODE, and is getting a T-Shirt? How much do you
value your own source code? at least 10,000$ right? ;) (probably much, much
more) who cares about the scope, if someone found my wallet on the street
which had 10,000$ in it, I would give them a bit more than a T-Shirt, I would
buy them a whole wardrobe.

Think if someone found the source code for Windows / Office / Photoshop,
without any bounty program, and responsibly disclosed it to the respective
companies. If he didn't walk away with nice amount of money, he could easily
just put it in the nearest torrent site* without even feeling guilty (*this is
wrong, and illegal, don't do it)

~~~
girvo
If you found Adobes source code, they'd probably sic the cops onto you.

------
girvo
Ignoring the bounty thing for a second, their email response "we think it was
in good faith" seems... Not right to me. Am i reading that weird or did they
seem pissed about him finding something like that?

He plugged a huge issue for them, and they screw him over due to "scope"...
That's their choice, but it still seems bureaucratic to me.

~~~
rtkwe
They're talking about viewing the source code and testing the login. The
author could have just reported the leaked credentials and not logged on.
Testing them especially since it wasn't part of the program falls under
potentially extremely malicious.

------
gnu8
There should be a database of these bounty programs that can tell you if a
company pays or not, sort of like a credit bureau.

~~~
alexkus
[https://bugcrowd.com/list-of-bug-bounty-programs](https://bugcrowd.com/list-
of-bug-bounty-programs)

------
jwr
I don't understand why companies start those bug bounties and later try to
avoid paying out the rewards. If it were me, I'd book the reward amount as
"spent" the minute I decided on a bug bounty hunt.

I think this is (yet another) lesson that participating in these kinds of
bounty hunts is very risky and should only be done if the company is reputable
(which this one apparently is not).

~~~
DougBTX
How is this not reputable? They are pretty clear about when they will not sue
people trying to hack their systems, a bounty is a bonus.

------
pepe_kriek
Seems like Prezi has changed its mind about not paying. Prezi being a
Hungarian startup made a buzz in the local media with this story and one of
the leader news site reached out to them and got this reply: "Prezi: Hibáztunk
és fizetni fogunk" witch means: "We made a mistake, we will pay"

They also said that they will release a blog post and they will change the
bounty program, so mistakes like this will not happen again (hopefully)

------
randallsquared
Wow, I hope you didn't send them your physical address after this. We often
hear of companies sending the police after people trying to be helpful.

------
jcromartie
Simply by logging in he could be thrown in jail. I hope some prosecutor
doesn't get wind and decides to bring charges.

~~~
err4nt
Why is that? Weren't the login credentials posted publicly?

~~~
Heliosmaster
If you leave your door open and someone enters without your knowledge, would
you call the police?

~~~
davorak
It is closer to find someones home key in a public place and deciding to see
if it opens their door or not before giving it back.

You did not enter the house you did not explore. You turned the key, the knob,
and made sure the door would open a little.

Not something I would recommend, especially since the key had the address and
the owner name and address attached to it.

But not as bad as someone entering the home and looking around.

~~~
foldr
The analogies are beside the point. Logging in to a system which you don't
have permission to access just _is_ illegal in many countries, whether you
think that it ought to be or not.

~~~
davorak
> The analogies are beside the point.

It helps decide weather or not the legal response if any is reasonable.

> whether you think that it ought to be or not.

I was not trying to comment on what I think ought to be.

~~~
foldr
I don't see how those two statements are consistent with each other. The first
says you're trying to judge whether or not the law is reasonable, and the
second says that you're not trying to comment on what the law ought to be.

~~~
davorak
> judge whether or not the law is reasonable

I am trying to make that judgment and help others to do so.

> and the second says that you're not trying to comment on what the law ought
> to be.

If I am trying to make a judgment, if I am in the process of reasoning through
something I do not know what something ought to be.

Good analogies are those that help people reason through a problem and come to
the correct conclusion, not a tool to sway people to your opinion.

------
shabble
One wonders if he wouldn't have been better[1] off downloading their app
source, and using that to find 'in-scope' vulns much easier than everyone
else. They might catch on if you're too effective though. Maybe a spot of
plausible parallel construction.

[1] Except for the totally illegal aspect, obviously. And the not-telling-
them-their-source-is-open-to-the-world bit.

------
oskarth
Presumably the goal of the bounty was to make Prezi more secure. OP found a
serious security hole, without using a "violent" approach (spear phishing,
cutting the power, etc). OP reported this security hole.

In a legal sense, they aren't obligated to pay. There are a lot of legal loop
holes. By not paying for something that they obviously want to know, they are
discouraging other security researchers to disclose "out of scope" holes. To
what end?

 _If you succeed, we will give you cash. That’s right; we’ll pay cold hard
currency into your bank account. Think of it as a thank you._ (Prezi bug
bounty site)

I guess the right way to read this is as a (legal, of course) fuck you.

------
3223f
This sends a worrying message to others - in future don't bother reporting
vulnerabilities to Prezi, just obtain the source and sell exploits to the
highest bidder.

It's no wonder security researchers turn to black hat methods, when they're
treated/compensated like shit for their effort. "Swag" in return for your
source code? What a joke

~~~
eyepulp
"It's no wonder security researchers turn to black hat methods" \-- this seems
such a binary and pointless reduction of the options available. Yes, Prezi
could have turned this into a PR and security win, and failed to capitalize;
but the assumption that now the only option for a security researcher is to
turn to the dark side is... pretty ridiculous.

Those who "turn to blackhat methods" do so because they want to make money and
don't place a premium on the potential moral/legal/ethical issues at play in
how they're doing it. They make a choice, irrespective of the shortsightedness
on display by Prezi here. Don't conflate the two behaviors.

------
psychboo
I'm noticing yet another instance of HN modifying post titles. I originally
titled this post "Finding Prezi's Source Code" specifically because I did not
write the article. Now the post title reads (at first glance) as if I'm taking
credit for the author's hard work.

~~~
welder
Both titles are misleading. The title should be:

"I found Prezi's client-side source code"

------
daviddoran
I think they acted pretty fairly by pointing out that it's the logging in that
they have issue with. Although it's not as satisfying, I think Shubham could
have submitted the link and credentials to Prezi without actually accessing
the repo. In particular, the report email contains the snippet "... I explored
the nexus console to confirm that ..." and I can understand Prezi not wanting
to encourage pen testers to explore their systems, even if they find them open
to the world.

~~~
shawabawa3
> I think they acted pretty fairly

They absolutely didn't.

I don't get how there seems to be absolutely no human side to these cases.

Guy discovers critical vulnerability and could have completely fucked the
company over. Instead he responsibly reports it, and he gets back a big fuck
you. How can you possibly think that's fair? The fact that it's out of scope
only means they should give him an out of scope reward - much higher!

Saying he could have not checked the credentials is a bit silly, because if
the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.

And isn't the _entire point_ in bug bounties to _encourage_ pen testers to
explore your system? Sure, you don't really want them poking around your
source control, but better that than black hats.

All of the above aside. They really couldn't spare $500 for someone who could
have caused $millions of damage?

~~~
daviddoran
> Guy discovers critical vulnerability and could have completely fucked the
> company over.

We all frequently have the opportunity to cause damage, but we don't get
rewarded for _not_ doing so. I think Prezi may have given the cash reward if
the pentester hadn't logged in and browsed around. They probably don't want to
set a precedent (take the data you find, get cash reward).

> ... because if the credentials were invalid (quite likely), it goes from
> CRITICAL to MINOR.

Agreed, but either way the pentester won't be able to fix it. All he can do is
report his findings.

> ... but better that than black hats.

Agreed, but if you stray outside the terms of the bounty then you're no longer
guaranteed the rewards. I think the pentester tried his best to report
responsibly but I don't think Prezi are obligated to give the reward, based on
the terms.

~~~
dllthomas
_" and browsed around"_

This seems to be key. Did he just verify the credentials, or did he poke
around thereafter? If the latter, Prezi has a better case but they should have
stated it more clearly.

------
swalkergibson
I suspect that the biggest reason is that this amazingly gigantic, critical
vulnerability was so ridiculously easy to find that they cannot stand the idea
of paying someone a large amount of money to "fix" it, when the fix is to
simply deny access to that service from outside a LAN or whatever. Prezi
thought that they found all of the easy ones. Not quite.

------
edem
My problem here is that the OP did not mask the names. Actually he did quite
the opposite: he bolded them. This is no good. I can imagine the dev searching
for his name in google and finding that post.

~~~
infosec_au
Hi, I'm the author of the blog post. I've masked last names from the post and
PDF, hopefully meaning that they wont be indexed with that post. Thanks for
bringing that to my attention.

~~~
edem
Thanks, it is much better now.

------
darkbot
This is definitely out of the scope of their "bughunt", although I think the
guy should be rewarded anyway.

But I'm also quite upset with the fact that OP is outing the dev. Everybody
makes mistakes, no need to out any individual developer because OP is pissed
at the company management.

~~~
infosec_au
I realised 2-3 hours after my blog post, and rushed to redact the last names
from the post + pdf. I have now also redacted last names from the screenshots.
Sorry about that! But thank you for letting me know. :)

~~~
vertis
FYI, You can still see the url of the user on bitbucket and from there still
get a name.

------
6cxs2hd6
> "Anyways, they did try and get it right, by emailing me an apology as well
> as responding to my constructive criticism. This blog post, is by no means
> attempting to discourage people from participating from Prezi’s bug bounty,
> but rather just a blog post about how finding Prezi’s source code was not
> eligible for their bug bounty."

Passive aggressive much?

I think he should have got a bounty -- if not the official one, then a
special, _bigger_ one. However, this is an odd way to conclude the post. "Oh,
I'm not at _all_ trying to discourage others for participating, oh no no". Of
course he's trying to discourage others. With justification. I don't get it.

~~~
RyanZAG
Probably doesn't want anybody pointing legal fingers at him for harming Prezi
or something.

~~~
6cxs2hd6
Oh I see. You mean like, "Here's my experience; I decided to stop
participating. But I'm not advising you to. Offer not valid in all areas. Yada
yada..."

------
icambron
This would be unethical and I would never do it, but the interesting scenario
would have been if he'd secretly pulled the source code and used his access to
it to find a bunch more bugs. He would look like a genius and pocket a bunch
more money.

------
tantalor
The rules seem to allow a reward for this kind of vulnerability,

 _What’s up with other vulnerabilities? ... we will consider if they are
eligible for a bounty or not_

 _What is the bounty? ... we will increase it at our discretion for distinctly
creative or severe bugs_

Prezi explicitly designed the rules to be flexible, so they could give the
award in this case, but decided not to because "intra.prezi.com is out of
scope".

The rules about scope appear to exclude vulnerabilities in 3rd-party services
such as AWS, not backends, e.g., _the backends for our iPad and desktop
applications are in scope_

[http://prezi.com/bugbounty/](http://prezi.com/bugbounty/)

------
veszig
Here's the response from Prezi
[http://engineering.prezi.com/blog/2013/12/03/a-bug-in-the-
bu...](http://engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bugbounty/)

------
lifeformed
The redacted names are kind of pointless, because they're not redacted in the
images of the emails.

~~~
infosec_au
I redacted their names from the post and PDF only, to prevent Google from
indexing and associating the blog post with them.

By doing this, future employers hopefully will not see the blog post when
searching their names.

~~~
lifeformed
Oh I see, that makes sense.

------
rohitv
Here's the cached version of the commit:
[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://bitbucket.org/flash42/config/commits/1934298e907b95234dca40050a2d0f6f)

The Nexus Repositories URL
([http://intra.prezi.com:8081/nexus/content/repositories](http://intra.prezi.com:8081/nexus/content/repositories))
is still not restricted

------
tbastos
It would have been easy for him to steal the source code and blackmail them
for bitcoins... companies are encouraging others to turn to the dark side by
not giving fair rewards. I'm pretty sure there are lots of smart people living
in difficult economic conditions who will now think twice before reporting a
serious vulnerability at the risk of an unfair reward. If Synack can solve
this it would be a major win for everyone.

------
kyberias
Why on earth would you ridicule the developer that made the mistake publicly?
That is just utterly idiotic and irresponsible.

------
if_by_whisky
Why not offer him the bounty in exchange for signing an NDA? If they're
actually worried about not setting a precedent..

------
dutchbrit
Finder should receive the highest bounty possible IMO.

~~~
frankblizzard
a unicorn tear

------
scotty79
I hope he downloaded their whole sourcode. That should make locating in-scope
bugs much easier.

~~~
cordite
I don't know about you, but I'm not about to proof read someone else's source
code for a system I don't even know.

~~~
Ensorceled
I'm willing to do it for $500 a bug :-)

~~~
simplemath
Easy money for an unscrupulous sort

------
joering2
What an asshole approach [1]. Please, next time someone find a critical bug in
the system, don't bother emailing them; just post it on Twitter.

[1] [http://i.imgur.com/v3W9FD6.png](http://i.imgur.com/v3W9FD6.png)

~~~
SideburnsOfDoom
The picture says "intra.prezzi.com is out of scope". Because yeah, real
attackers would _definitely_ not go looking for a back door instead.

------
prawn
Don't worry about the bounty, here, have swag that freely advertises our
company. Weak. Why should anyone put up with that?

Pay him something outside the bug bounty program. Easy and cheap solution that
could've avoided all this mess.

------
JoeAltmaier
A bounty program is to get 'white hat' hackers to find and report
vulnerabilities. The bounty is small, nowhere near what an extortionist could
charge to keep the source secret for instance.

By paying nothing for what could have been sold back to them for a huge sum,
they may disaffect hackers, who could do them real harm. You become a sucker
to volunteer for their 'bounty', and decide to turn to the dark side instead.

I think Prezi are very silly to be splitting hairs about this. They stuck the
stick in the hornets' nest, now they are arguing with the hornets.

------
SeanDav
The guy found and brought to their attention a simple exploit that could have
seen valuable source code released into the wild and the guys at Prezi are
debating about paying him a bounty?

Does this mean that Prezi do not value their code and don't believe there
would have been any significant loss if that code became public?

Are they saying that the next person that discovers serious flaws in their
security should just keep quiet - or sell it on to some hacker, where at least
they can make some money from it?

Just what message are the Prezi people trying to send by nit-picking over
$500?

------
d0m
One trick to avoid stupidities like this is to tell them what you found, but
not _how_.

How much is worth the vulnerability of having access to _all your source
code_. Just ping me if you're interested.

------
mankypro
Silly PR move on their part. They should've given this guy some shush money to
prevent this (now) PR nightmare. Shoddy security practices, shoddy marketing
and PR. Tsk, tsk.

------
jasonlmk
In case anyone missed it: Prezi finally decided to pay him the bounty.

Still a bad move to have denied him the bounty in the first place, but good to
see that they're listening to the outrage.

------
ansible
So the question I haven't seen asked in this thread is: Why is anyone still
using something other than SSH to connect to their version control system? Why
is any software still using usernames and passwords stored in plain text
anywhere? With SSH, you create SSH key pairs and set a passphrase on the
private key... which shouldn't end up in any public place, ever.

~~~
brown9-2
Well the credentials in the properties file shouldn't have ended up in a
public place ever. So if you replace username/password with a key, a human can
still accidentally publicize the key.

------
Fuxy
This policy of limiting security assessments/bug bounties to only certain
things is really stupid.

Do you really think that any extremely motivated hacker would just stick to
the arbitrary terms you set.

He will do whatever it takes to get in and by limiting security research
you're making yourself vulnerable in other areas not defined in that
assessment request.

------
mimog
Nexus isn't a source code repository. What you found was their internal
artifact server, i.e compiled jar files.

~~~
ollysb
If you look inside those compiled jar files you'll find that the code is
pretty easy to read. It's certainly enough to find vulnerabilities.

~~~
mimog
But.. that can be said about any java (jar) programs class files. It is also
not difficult to decipher the asm of a disassembled exe file, but to equate
that with finding the source code of the program would be disingenuous.

~~~
phaed
You can drag drop that jar file into
[http://jd.benow.ca/](http://jd.benow.ca/) and in two clicks you have 100% of
the source code, variable names and all. It's not the same as decompiling an C
executable by any means.

~~~
mimog
Having tested [http://jd.benow.ca/](http://jd.benow.ca/) I must admit it seems
to do a near perfect job. Impressive and scary at the same time.

------
thrillgore
Dude needs to lawyer up right now. Doing the remote login has been seen as a
violation of the CFAA.

~~~
jpatokal
Prezi the company is in Hungary, not the US, and intra.prezi.com (70.38.38.86)
seems to be in Montreal, Canada.

~~~
Vivtek
And the dude in question is in Australia.

None of this happened in the United States at all - it's amazing! Non-
Americans also have businesses!

~~~
balls187
Not very good ones, apparently.

------
pccampbell
Having stringent terms for a bug bounty program basically means you're trying
to get the community to do your team's job. Agree with @nikcub - it should be
wide open, because finding this out was huge, no matter how "simple" it may
have been.

------
chatman
Prezi deserves to be boycotted for cheating Shubham out of his bounty based on
stupid "out of scope" excuse.

If cracking an internal service is possible, a bug exploiting it should be
within scope of any bounty program.

------
eyeareque
Bug bounty program or not, I would be pretty afraid to try to log into a
source code repository without authorization to do so. It seems like a lawyer
could really go after you for doing something like this.

------
buremba
The main point is the thing that OP found is really important for Prezi. I
don't really understand why they have to figure out whether the vulnerability
is in "the scope", or not.

------
Raphmedia
So, the message they are sending is "if you find an 'out of scope' bug, sell
it on the blackmarket because even if it could wreck havoc, we won't pay you
for it."

Nice, nice.

------
Yhippa
Are bug bounties roughly the market value of security holes in software? I
wonder if this guy or less scrupulous developers could make more for them on
the black market?

~~~
girvo
If the exploits are for the right targets, you bet they're worth more on the
black market, but with great reward comes great risk: now you're doing
something that can possibly get you jail time.

------
IanDrake
Anyone else notice that "Adam <Redacted>"'s full name and contact info are
_not redacted_ in the screen print of the email?

~~~
infosec_au
I removed the last names from the blog posts and from the PDF, as they could
be indexed by Google. I have now also removed them from the screenshots.
Thanks. My intention was not to negatively affect these developers careers.

~~~
_puk
Commendable, though you probably need to redact the bitbucket link in the
screenshot too as that has Adam <redacted>'s full name as owner of the repo.

Where does it end?!

------
phaed
We should start an independent bounty in btc for whoever can find and release
their sourcecode into the public. I can donate 1 btc to the cause.

------
jayferd
"...and all I got was this stupid T-shirt"

------
thekevan
Didn't he not find a bug, but found company resources that had not been
secured properly?

------
supercanuck
Seems like acting nefarious is more profitable than doing the right thing.

------
jbverschoor
I say release the code in the wild! Where it already was

------
toryt
good article

