|
|
|
|
|
|
by daviddoran
4574 days ago
|
|
|
> Guy discovers critical vulnerability and could have completely fucked the company over. We all frequently have the opportunity to cause damage, but we don't get rewarded for _not_ doing so. I think Prezi may have given the cash reward if the pentester hadn't logged in and browsed around. They probably don't want to set a precedent (take the data you find, get cash reward). > ... because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR. Agreed, but either way the pentester won't be able to fix it. All he can do is report his findings. > ... but better that than black hats. Agreed, but if you stray outside the terms of the bounty then you're no longer guaranteed the rewards. I think the pentester tried his best to report responsibly but I don't think Prezi are obligated to give the reward, based on the terms. |
|
|
This seems to be key. Did he just verify the credentials, or did he poke around thereafter? If the latter, Prezi has a better case but they should have stated it more clearly.