|
My $.02 on this is that Prezi should have not awarded the researcher the cash under the bug bounty program, however they should have given him a reward anyway. Awarding the money as part of the bug bounty wouldn't be fair play under the rules of that program, but he potentially saved them a TON of money and problems. As such, he should be rewarded somehow. Further, had he been less than honest, he may have been able to leverage the code itself to find more than one $500 bug. I think Prezi should have done something like this: * Acknowledge the problem and the seriousness of it * offer a reward, but not under the bounty, just a "thanks" * Have him sign an NDA about the source itself, and the specific details of the issue, and the amount of the award * Allowed him to write up the experience should he choose (good PR for prezi) * (maybe) offered a contract for the researcher to find more such issues, or announced a different program as a result of it. The reasoning behind doing it outside the program is that Prezi needs to walk a fine line between saying "just attack everything and we'll pay you!", "we are too process driven for our own good", or they end up getting bad press from people who tried to follow the rules not getting anything, but cheaters are getting paid. |
I'm not sure I agree with this particular argument, it essentially reduces the concept of a bug bounty to blackmail. This mindset is not a constructive one.
The tester should get rewarded for their hard work and helpfulness, not the decision to follow the law.