I think they acted pretty fairly by pointing out that it's the logging in that they have issue with. Although it's not as satisfying, I think Shubham could have submitted the link and credentials to Prezi without actually accessing the repo. In particular, the report email contains the snippet "... I explored the nexus console to confirm that ..." and I can understand Prezi not wanting to encourage pen testers to explore their systems, even if they find them open to the world.
I don't get how there seems to be absolutely no human side to these cases.
Guy discovers critical vulnerability and could have completely fucked the company over. Instead he responsibly reports it, and he gets back a big fuck you. How can you possibly think that's fair? The fact that it's out of scope only means they should give him an out of scope reward - much higher!
Saying he could have not checked the credentials is a bit silly, because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
And isn't the entire point in bug bounties to encourage pen testers to explore your system? Sure, you don't really want them poking around your source control, but better that than black hats.
All of the above aside. They really couldn't spare $500 for someone who could have caused $millions of damage?
> Guy discovers critical vulnerability and could have completely fucked the company over.
We all frequently have the opportunity to cause damage, but we don't get rewarded for _not_ doing so. I think Prezi may have given the cash reward if the pentester hadn't logged in and browsed around. They probably don't want to set a precedent (take the data you find, get cash reward).
> ... because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
Agreed, but either way the pentester won't be able to fix it. All he can do is report his findings.
> ... but better that than black hats.
Agreed, but if you stray outside the terms of the bounty then you're no longer guaranteed the rewards. I think the pentester tried his best to report responsibly but I don't think Prezi are obligated to give the reward, based on the terms.
This seems to be key. Did he just verify the credentials, or did he poke around thereafter? If the latter, Prezi has a better case but they should have stated it more clearly.
