1. 74
    1. 27

      The ignorance by Zendesk is mindblowing. IMO, going out of your way to make a disclosure like this rather than keeping it to yourself (or worse) should earn you the CEO’s entire salary for a year. After all, you’re saving the company about that much in bad press and bad blood with clients combined.

      1. 11

        While I agree the ignorance of Zendesk, and their vendor, HackerOne, the reputation of HackerOne, suffered here. They could have avoided the write-up and some consequences of being ignorant by having paid a bounty for an obvious bug.

        I expect the first anyone at ZenDesk knew there was a problem is when customers cancelled contracts. The last they knew there was a problem is likely believing HackerOne that it was some hacker not following the rules.

        1. 9

          The icing on the cake is not awarding a bounty, even a token amount, when the researcher didn’t wait for the bug to be fixed after disclosure.

          1. 2

            Using H1 without manual review (usually weekly) of discarded reports is malpractice.

            1. 1

              So, you argue that HackerOne is fundamentally incompetant?

              1. 2

                Yeah, kind of, in regards to their paid filtering product.

        2. 13

          Hilarious. Good job for this kid hitting them where it hurts: in the wallet.

          1. 9

            “Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.”

            Ummm, not surprising at all. Unless they’re in the business of building ticketing systems, I don’t see why they would do that. Should they build their own printer drivers and OS as well?

            1. 0

              Great write up!