[MrZongle2]

Prezi's apparently trying to cover their posteriors in the wake of Shubham's disclosure and subsequent snub ( http://blog.shubh.am/prezi-bug-bounty/ ).

"We greatly value this feedback."

Weak sauce. Shubham's disclosure saved Prezi from a future nightmare. If they're not going to pay him from the bug bounty coffers, they should at least try and sound more like grateful humans rather than a pissy HR department trying to do damage control.

[kbenson]

I think that's a bit harsh. I read the full email exchange he posted at the end of his article[1], and they went to some length to explain their position at the end of that exchange, and while I and many other wish it was different, I find their position understandable. With any number of past security submissions already deemed inadmissible for a bounty based on being out of bounds, how do they justify doing it in this one case? I think they were heading this direction anyway, and if anything this just sped up the time frame.

1: http://blog.shubh.am/wp-content/uploads/2013/12/LetterLog_Pr...

[vinu76jsr]

So they screwed up in the past and those screw ups should be used to justify this one, their position is understandable but in any case they can use their discretion to make up for it and it should not take one person to blow something out of proportion and force them to make this change.

[ronaldx]

That their position is understandable doesn't make it any more reasonable.

[veszig]

"To improve the program from now on we will reward bug hunters who find bugs outside of the scope provided that they do not violate our users’ information and that their report triggers us to improve our code base. We will also retroactively check to see if other reports found issues that fall into this category."

This means Shubham will get the bounty.

[MrZongle2]

I don't know about that: "from now on" seems to imply that in the future that will be the case.

[eridius]

Check the end of the quote, it says "retroactively".

[kibibu]

Also: "and that their report triggers us to improve our code base".

Closing port 8001 isn't quite improving the code base.

[cloverich]

But combing source code repositories for config files containing private information might be. 

[veszig]

retroactively.

[dnautics]

Whilst waiting for their response, I realised that I would rather not accept their “swag”, and decided to instead, send off an email indicating why I wished to walk away with nothing....

Anyways, they did try and get it right, by emailing me an apology as well as responding to my constructive criticism.

Before shubham posted anything.

[cupcake-unicorn]

I agree as well - this "apology" sounds so wishy-washy and weak.

[pelario]

They are actually paying to Shubham. The original post by Shubham was updated: http://blog.shubh.am/prezi-bug-bounty/

[Voltbishop]

@MrZongle2 I agree.