Oh, come on, I'll give that a troll win at best. The clear implication was subverting software users would run. Let him social engineer that one. I'd put it in a bug-fix or something Obfuscated C contest style.
You suggested I "didn't get it" because trolling stuff that wins a game was the point. Actually, what made me think about impact was on website and the challenge itself:
"Backdoor Insertion Proof-of-Concept Bounty: The first time someone tricks me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects"
Whole point is assessing ability to backdoor software products. Social attack that succeeds might teach us something. The cheat teaches us nothing but is amusing. So, I certainly get it and read site before I wrote here. ;)
Note: Same page said employer's website was off limits in hacks and pentests. I assumed that meant Defuse. So, never considered website attack as in scope in first place.
Depends on what the desired outcome it. I read the challenge as compromising one of the pieces of software on the website. Doing that with social engineering was the desired outcome.
The attacker thought out of the box to tackle a lesser challenge: getting a string on the website itself. It was technically true under rules, funny, and contest issuer even owned up to it. It's not the real challenge, though. No real-world impact. So, just amusing trolling.
You're failing to see the charm here. Social engineering is a confidence trick that exploits gaps in someone's personal trust system.
Surely you are right that when he presented the challenge he had something different in mind. But that's exactly the point! The winner realized that the website itself might be a gap in the challenger's trust system; a place where he would have his guard down.
Eschewing the implied parameters of a problem and cheating expectations are what vulnerability detection is all about.
Your failing to see my actual concern here. I'm one of those old-school types that rate people on impact their work has first and how clever/funny it is second. The first, expected challenge had consequences with impact. Tackling that with effort even close to success would be praiseworthy & even contribute something new to INFOSEC.
The other thing is the kind of shit I do to coworkers and people online all day for fun. One I hadn't thought of and clever for sure but same concept. It's a combo of wit and sophistry that focuses on technicalities of people's statements who aren't thinking carefully about them. Outside policy and procedures, outthinking a statement has no impact at all.
So, as I think along both lines, I recognize it as clever trolling in the second category like I do 20 times a day. Similarly pointless. Just fun and funny. Then, acknowledge that the real target or challenge would've been more valuable. Implicitly encouraging people to go for that one in case we learn something important. You know, relevant to information security. Plus, I give highest props to people that pull off difficult or nigh-impossible feats.
A website is either data a browser interprets or a combo of it plus software (eg Javascript). This is compromising his software only in most technical, trolling sense. It won't affect his apps at all.
Software is data an operating system and processor interprets. He never specified apps.
Besides, how would inserting the string in his apps have any different affect than inserting it into the website? This is completely within the parameters that were set (because there weren't many).
Suffice to say, the real point is whether people can compromise his apps with something that would harm their computer. So, let's rephrase your question, "What's the difference between convincing him to post a challenge string on his website and convincing him to arbitrarily modify code of apps he distributes to users?" Obviously, a huge difference unless he's a complete idiot.