hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

  • lud@lemm.ee
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 month ago

    Zendesk commented on the GitHub post with this:

    Daniel points this out at the end of his post but for those looking for more details on this bug submission, our team at Zendesk posted some info here.

    • Lvxferre@mander.xyz
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 month ago

      My sides went into orbit!

      The way that the Github comment is phrased, it implies that the link contains additional info that hackermondev didn’t mention. It doesn’t - instead it contains a subset of that info, missing critical bits:

      1. That Zendesk initially dismissed hackermondev’s report.
      2. That the “third parties” in question were Zendesk’s clients.

      Both pieces of info were omitted to back up a lie present in the text, that the bug hunter would have “violated key ethical principles”. He didn’t - as he noticed that Zendesk gives no flying fucks about the security issue, and that remediation was unlikely, he warned the people affected by the issue, so they can protect themselves against it.

      Zendesk is not just being irresponsible - it’s also being manipulative, and doubling down instead of doing the right thing (“we incorrectly dismissed that report. It was our bad. Here’s your 2k.”) They have no grounds to talk about ethical principles.