The ignorance by Zendesk is mindblowing. IMO, going out of your way to make a disclosure like this rather than keeping it to yourself (or worse) should earn you the CEO’s entire salary for a year. After all, you’re saving the company about that much in bad press and bad blood with clients combined.
While I agree the ignorance of Zendesk, and their vendor, HackerOne, the reputation of HackerOne, suffered here. They could have avoided the write-up and some consequences of being ignorant by having paid a bounty for an obvious bug.
I expect the first anyone at ZenDesk knew there was a problem is when customers cancelled contracts. The last they knew there was a problem is likely believing HackerOne that it was some hacker not following the rules.
“Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.”
Ummm, not surprising at all. Unless they’re in the business of building ticketing systems, I don’t see why they would do that. Should they build their own printer drivers and OS as well?
The ignorance by Zendesk is mindblowing. IMO, going out of your way to make a disclosure like this rather than keeping it to yourself (or worse) should earn you the CEO’s entire salary for a year. After all, you’re saving the company about that much in bad press and bad blood with clients combined.
While I agree the ignorance of Zendesk, and their vendor, HackerOne, the reputation of HackerOne, suffered here. They could have avoided the write-up and some consequences of being ignorant by having paid a bounty for an obvious bug.
I expect the first anyone at ZenDesk knew there was a problem is when customers cancelled contracts. The last they knew there was a problem is likely believing HackerOne that it was some hacker not following the rules.
The icing on the cake is not awarding a bounty, even a token amount, when the researcher didn’t wait for the bug to be fixed after disclosure.
Using H1 without manual review (usually weekly) of discarded reports is malpractice.
So, you argue that HackerOne is fundamentally incompetant?
Yeah, kind of, in regards to their paid filtering product.
Hilarious. Good job for this kid hitting them where it hurts: in the wallet.
“Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.”
Ummm, not surprising at all. Unless they’re in the business of building ticketing systems, I don’t see why they would do that. Should they build their own printer drivers and OS as well?
Great write up!