[eli]

It was out of scope. The rules are pretty clear: http://prezi.com/bugbounty/ and he broke at least two of them.

And it seems like he knew it was out of scope when he submitted it too: "I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains..."

Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me... but they aren't obligated to. You can put your pitchforks down.

[nowayman]

Sometimes people and companies have their heads stuck so far in procedures and policies that they can't see the forests from the trees.

The Finder provided tremendous value by discovering this issues and reporting it responsibly. He certainly should be rewarded with something more substantial than swag.

Would Prezi have preferred that the Finder just not report this issues?

[eli]

It's not like they got him on some legalistic technicality. The bug bounty clearly doesn't cover the bug he reported.

And I don't usually go looking for them, but if I come across a security problem (e.g. someone left login credentials unsecured in bitbucket) I would let them know because it's the right thing to do, not because I expect cash.

[TillE]

It's not a technicality, but you're just saying "well, that's the policy" without considering whether the policy is the best way to accomplish certain goals. That's the point.

[duiker101]

So because it was out of scope it means that it could not have harmed the company so he should have just left it there?

[eli]

Prezi never claimed they would pay you for anything that harms the company. Their rules are, I think, unusually clear and specific.

[lmm]

You're not entitled to a bounty just because you found a bug. Some companies offer these bounties and it's good that they do, but that doesn't mean every company is obliged to offer them, or that a company that offers bounties for some bugs is obliged to offer them for all bugs.

[shubhamjain]

How about a moral obligation? Honestly, it sounds like if a taxi driver returns a bag full of cash to the owner, it is perfectlly alright if they just say "Thank you" and walk him to the road. Legally: nothing wrong, morally: being a greedy asshole.

[lmm]

Frankly if a taxi driver bitched on his blog about someone doing that I'd be saying the same thing. It's nice when someone gives you a reward for doing the right thing. But you shouldn't act like you're entitled to it, because you're not.

[Semaphor]

> But you shouldn't act like you're entitled to it, because you're not.

Depends where you are. In Germany you are entitled to a finder's fee by law (in the case of the taxi only if the value is > 50€ and only 2.5% instead of the normal 5%)

[kbenson]

That's an interesting point of view. I consider it being a greedy asshole when you feel entitled to a reward for doing the right thing.

[iwwr]

It should absolutely be in the interest of companies to reward security researchers who find flaws in their systems. Otherwise, they will be screwed by the less scrupulous.

[kbenson]

We are talking about different things. Sure it's in the company's best interest, just as it is in the interest of someone that loses their wallet to offer a reward. That said, when nothing is offered up front (possibly because the problem is unknown), to feel entitled to a reward and disgruntled when one isn't offered is not what I would call "moral" behavior, as brought up farther up-thread.

It's moral when you do it because it's obviously the right thing for everyone involved. When there's money involved, that's something else.

[shiven]

Clearly, you are being sarcastic!

If not, I am amazed by your naïveté.

[tantalor]

That's a false analogy. Taxi drivers are obligated to return lost property, but nobody is obligated to report bugs. That's why you create an incentive to report, i.e., the bug bounty.

"Taxi drivers and owners must return property they find in a taxicab." - http://www.nyc.gov/html/tlc/html/passenger/sub_lost_prop_inq...

[shubhamjain]

Aye! Its not a perfect analogy but I was pointing out why people should reward the guy if he didn't exploit the situation in a wrong way. In this case, it was the whole source available to him. Albeit, he was more or less inclined to report the bug but what if he hadn't and probably sold it somewhere? why shouldn't the company reward for his effort.

[balls187]

Morally: A good deed is it's own reward.

Further: Money doesn't have any owners. Only spenders.

[benjamincburns]

As an aside this very thing is an excellent example of how extrinsic motivators can "poison the well" as it supersedes intrinsic motivation. Dan Pink gave a great talk on this -- http://www.youtube.com/watch?v=tJr9QajdCNc (sorry, I prefer the illustrated version).

[fleitz]

For sure, he's also not obligated to not sell this information to the highest bidder.

[hsod]

He is obligated legally and (IMO) ethically.

[sherjilozair]

> ethically

Double standards.

[hsod]

Can you expand?

[atmosx]

Exactly. Because it was out of scope, he should find a competitor and sell the access to the the source code!!!! :-P

[woodchuck64]

"Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me"

But Shubham did one additional thing, he unintentionally embarrassed a founder. That's the real reason he's not getting paid, everything else is a technicality...

[eli]

That sounds like pure conjecture.

[danielweber]

Good life lesson: don't be a dick.

[kstop]

A dick would have stuck it up on Pastebin or wherever it is the kids stick things these days.