- cross-posted to:
- cybersecurity@sh.itjust.works
- cross-posted to:
- cybersecurity@sh.itjust.works
hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:
Zendesk commented on the GitHub post with this:
My sides went into orbit!
The way that the Github comment is phrased, it implies that the link contains additional info that hackermondev didn’t mention. It doesn’t - instead it contains a subset of that info, missing critical bits:
Both pieces of info were omitted to back up a lie present in the text, that the bug hunter would have “violated key ethical principles”. He didn’t - as he noticed that Zendesk gives no flying fucks about the security issue, and that remediation was unlikely, he warned the people affected by the issue, so they can protect themselves against it.
Zendesk is not just being irresponsible - it’s also being manipulative, and doubling down instead of doing the right thing (“we incorrectly dismissed that report. It was our bad. Here’s your 2k.”) They have no grounds to talk about ethical principles.