In their position, I'd pay him the $500 and remove the idea of scope. I'm just curious if there's some counter-argument I'm not thinking about.
If I wanted to hack Prezi I now have a lot of very useful information.
1) Prezi is not interested in blocking access to people who already have the ID of the presentation. This is good news since it means I can enumerate the IDs and get access to private presentations - some of which could have useful private data.
2) Prezi is not interested in blocking attacks which enumerate user ids, etc. This is great news - I can get a list of likely email addresses to use later.
3) Prezi disallows any forms of attacks that utilize outside services. That means that while Prezi's core systems have now been nicely screened, other systems are going to be wide open because nobody has bothered to test them properly. This works well with the list of email addresses from above and possibly data obtained from the private presentations above.
EDIT: Just want to add that this shows a very large misconception in the corporate security world. Security is not something you can get a "B - good effort" for. Security is all encompassing. You either get an A+ and the hacker does not get in, or you get an F and your data is gone. There is no middle ground. Putting parts of your security off-limit means you shouldn't have even bothered to begin with.
That's not true. There are substantially different levels of security required depending on the expected resources an attacker can devote to attacking you, and you can be better or worse at resiliency and recovery (where dollars and hours very much form a continuum).
I think your post also shows a very large misconception in the disclosure world.
It sounds like you're saying that bug bounties should be a free-for-all.
Are you recognizing that these companies often already have security programs in place? Do you also concede that the companies may already be aware of where their vulnerabilities rest?
Large organizations know things that you don't when you're submitting bugs to a reward program. Constraints on a program help them focus on areas where they know they have unknowns. It also helps them deal with situations where they know fixes are scheduled, but not currently implemented.
How are things going to play out if you took the time to discover a bug and the company told you they're not going to pay for it because they already know about it and already have a fix scheduled?
The average 'researcher' is going to be pissed. You don't know if they're telling the truth, you put in your valuable time into finding the bug, and you're wondering why you should put in your time next time.
Rules on a bug bounty program do not necessarily exist to constrain the reporters to only the "known strong areas". They're there to help avoid situations that might lead them to quite reasonably ask why they bothered to try to do a responsible disclosure in the first place.
Theres a few reasons, most of them having to do with managing day to day operations and keeping the business operating, etc. It'd be great to have everything wide open and and getting hammered until anything resembling a vulnerability is found, but that is sadly not really practical in most businesses.
Most bounty hunters aren't using precision. Without a doubt some are very meticulous, but a great many will throw every possible tool/option at their disposal at an application. This is great if it finds bugs, but it can also cause a lot of problems if their script generates a few hundred thousand help desk tickets that put your support/sales team way behind at a crucial times.
Theres also a lot of politics thats come into play. A lot of times these bounty programs have a split fanbase within company management and anything that interrupts the business, causes "bad" PR, and such will be quickly pointed out as reasons why the program should be discontinued.
Bug bounties != pen tests. Penetration testing takes a lot more for teams to work with and get something out of, and honestly a lot of organizations don't get anything out of a pentest. They either get a vuln assessment that a scanner jockey exported to pdf and showed up in a sports coat to present, or if they get an actual pen test by some of the people really doing it they get their ass handed to them so badly they have no idea what to do.
Bounties are to help a company understand the problems they have and get them fixed. Pen testing is about seeing how well you respond when everything goes to hell around you. Smaller orgs being constantly beat down isn't going to let them get a lot done to do anything except put out fires. (beware, physical world analogy ahead) Learning to defend yourself involves working with an instructor, and constantly getting better, not paying someone to whip your ass daily until you can't stand. Some people can work through the latter and become very well adapted to mitigating the attacks, but most will just get beat down and quit.
Maybe Prezi was trying to take a stand by not paying the guy for being out of scope, and thats fine they're certainly dealing with the consequences of that decision, but its completely understandable as to why they'd want some sort of scope to begin with.
I can't speak for Prezi, but it seems like they want people to test the security of their app, but not of their employees or back office infrastructure. Maybe you disagree, but it's their bounty and I think those are fair rules.
Phishing employees, DDoSing definitely cause problems if a large number, or one, of bug bounty hunters take on the approach.
It seems even if all the bug bounty hunters searched for and found http://intra.prezi.com:8081, preformed google searches and tested found logins by hand, no problem would result for prezi.
So it seems like Phishing employees and DDoSing are inherently different then the approach in the post.
To qualify for the bug bounty he should have inserted code into their codebase and then exploited that. Fuck these guys.
Yes, because those control panels should require 2FA, so password-only access is a bug.
Large companies also invest significantly in protection against massive DDoS and power cuts to the building, along with drills for earthquakes and zombie apocalypses.
For example, if I was to set up a bounty I really wouldn't want people at random contacting current or former clients trying to phish for passwords; I completely understand this is a threat, but I would want to personally manage something like that.
With that said, if something like this was found I'd pay the person. There's a point where you just recognize "Oh shit, that's a big hole, pay the man.".
- Deleting the company's data.
- Stealing from customers.
- DDoSing the site.
If you find a bug by taking any of the blacklisted actions, you get no bounty.
This approach protects the company without unduly limiting the thoroughness of the review.
Even worse are the companies that DON'T state any kind of bug bounty or instructions to report a security bug...
I found a data leak issue in one of the web properties of an S&P 500 company last week and I'm not sure if I should report it, because I feel that if misunderstood it could have negative consequences for me; and not having a security contact means I can't be sure the person I'm talking to understands my motives.
That doesn't really apply in this case though.
And it seems like he knew it was out of scope when he submitted it too: "I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains..."
Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me... but they aren't obligated to. You can put your pitchforks down.
The Finder provided tremendous value by discovering this issues and reporting it responsibly. He certainly should be rewarded with something more substantial than swag.
Would Prezi have preferred that the Finder just not report this issues?
And I don't usually go looking for them, but if I come across a security problem (e.g. someone left login credentials unsecured in bitbucket) I would let them know because it's the right thing to do, not because I expect cash.
But Shubham did one additional thing, he unintentionally embarrassed a founder. That's the real reason he's not getting paid, everything else is a technicality...
Companies could sign on to using this third party and pay a fee and put up escrow for the service. This would motivate researchers to find bugs for those companies that utilize the service, knowing payment will be impartial.
Disclosure: I'm co-founder of CrowdCurity
Ps: the idea is pretty cool. So is the implementation =) though how would you guys have handled if an issue like this occurs on your platform? A submitter submits a bug but the company refuses to pay for it citing "out of scope" ??
https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(...
Apparently neither Prezi nor the guy who found the login are American, so this particular law might not apply, but many other countries have similar laws.
The only thing this causes is exceptionally bad PR, or even worse for the company; someone just got access and you don't know. Access to source code is like the gold mine of finding an exploit, because you will know exactly where a vulnerability is, and you won't even have to blindly test it.
This suggests that anything less than perfect security is worthless. Which is better, having pentesters look for vulnerabilities in 50% of your surface area, or having pentesters look for vulnerabilities in 0% of your surface area?
Setting up a bug bounty program has a cost, both in terms of processing the data submitted and in potential disruption of the provision of services. This cost will differ from attack vector to attack vector. Having pentesters dress up as utility workers and attempt to sneak into your company offices to install keyloggers will have an extremely high cost in terms of disruption. This cost may be higher than the potential benefit of learning about the company's vulnerabilities in this area.
There are also some attack vectors that may be problematic to allow pentesters to probe due to third-party contracts, data protection laws, compliance issues, etc.
You may disagree with the particular areas a company chooses to define as out-of-scope, but to claim that having any areas off-limits renders the whole enterprise pointless is reductive and incorrect.
Is this supposed to be rhetorical?
Say you buy a really good front door for your house, and forget to put a back door on your house. I would say that testing the security of the front door is a waste of time.
In the end, everything matters
An out-of-band attack in the datacenter, VPS? Compromise of a developer machine to get inside the network? Social engineering?
in the end, if it caused loss or extraction of service/data, it doesn't matter how it's done.
Passive aggressive much?
I think he should have got a bounty -- if not the official one, then a special, bigger one. However, this is an odd way to conclude the post. "Oh, I'm not at all trying to discourage others for participating, oh no no". Of course he's trying to discourage others. With justification. I don't get it.
I think Prezi should have done something like this:
* Acknowledge the problem and the seriousness of it
* offer a reward, but not under the bounty, just a "thanks"
* Have him sign an NDA about the source itself, and the specific details of the issue, and the amount of the award
* Allowed him to write up the experience should he choose (good PR for prezi)
* (maybe) offered a contract for the researcher to find more such issues, or announced a different program as a result of it.
The reasoning behind doing it outside the program is that Prezi needs to walk a fine line between saying "just attack everything and we'll pay you!", "we are too process driven for our own good", or they end up getting bad press from people who tried to follow the rules not getting anything, but cheaters are getting paid.
I'm not sure I agree with this particular argument, it essentially reduces the concept of a bug bounty to blackmail. This mindset is not a constructive one.
The tester should get rewarded for their hard work and helpfulness, not the decision to follow the law.
> I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains, with the assistance of google.
While I agree that he most certainly found a "bug" (perhaps flaw would be a better word), it was out of scope. And using credentials from an employee to log in is nearly always out of scope.
They absolutely didn't.
I don't get how there seems to be absolutely no human side to these cases.
Guy discovers critical vulnerability and could have completely fucked the company over. Instead he responsibly reports it, and he gets back a big fuck you. How can you possibly think that's fair? The fact that it's out of scope only means they should give him an out of scope reward - much higher!
Saying he could have not checked the credentials is a bit silly, because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
And isn't the entire point in bug bounties to encourage pen testers to explore your system? Sure, you don't really want them poking around your source control, but better that than black hats.
All of the above aside. They really couldn't spare $500 for someone who could have caused $millions of damage?
We all frequently have the opportunity to cause damage, but we don't get rewarded for _not_ doing so. I think Prezi may have given the cash reward if the pentester hadn't logged in and browsed around. They probably don't want to set a precedent (take the data you find, get cash reward).
> ... because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
Agreed, but either way the pentester won't be able to fix it. All he can do is report his findings.
> ... but better that than black hats.
Agreed, but if you stray outside the terms of the bounty then you're no longer guaranteed the rewards. I think the pentester tried his best to report responsibly but I don't think Prezi are obligated to give the reward, based on the terms.
But I'm also quite upset with the fact that OP is outing the dev. Everybody makes mistakes, no need to out any individual developer because OP is pissed at the company management.
By doing this, future employers hopefully will not see the blog post when searching their names.
Where does it end?!
Actually we're continuously thinking on your case and struggling on the right move. On one hand, your finding was very useful for us, and we learnt a lesson from it. On the other hand, intra.prezi.com is out of scope, and by using the credentials to log in you violated the terms and conditions of our bounty program.
...
In the past we turned down the bounty request of people finding issues in out-of-scope services. We had a lot internal discussions about your request: if we were about to pay, we couldn't justify our out-of-scope decisions for anyone else.
What, are we in kindergarten? Does Prezi not have managers entrusted with taking decisions? They can run their bounty program however they want.
That they choose to run it in this fashion sends several messages in addition to the obvious, "we are obnoxious miserly prats". While hackers in white hats might be hearing "concentrate your efforts elsewhere", those in black hear exactly the opposite message. Many people who might previously have admired Prezi for their innovation and paid them money for their services, have now heard a reason to find other means to create presentations. Potential acquirers and potential hires have heard that this company's management finds running a bounty program challenging.
EDIT: Maybe I'm being too harsh. Apparently this is a largely Hungarian company; it's possible there are cultural misunderstandings in play. From a (perhaps cliched?) American perspective, however, following the rules is less important than accomplishing the goals of the program.
Think if someone found the source code for Windows / Office / Photoshop, without any bounty program, and responsibly disclosed it to the respective companies. If he didn't walk away with nice amount of money, he could easily just put it in the nearest torrent site* without even feeling guilty (*this is wrong, and illegal, don't do it)
He plugged a huge issue for them, and they screw him over due to "scope"... That's their choice, but it still seems bureaucratic to me.
I think this is (yet another) lesson that participating in these kinds of bounty hunts is very risky and should only be done if the company is reputable (which this one apparently is not).
It's no wonder security researchers turn to black hat methods, when they're treated/compensated like shit for their effort. "Swag" in return for your source code? What a joke
Those who "turn to blackhat methods" do so because they want to make money and don't place a premium on the potential moral/legal/ethical issues at play in how they're doing it. They make a choice, irrespective of the shortsightedness on display by Prezi here. Don't conflate the two behaviors.
At the time in which I found the bug and was not awarded for it, I was quite upset, evident from my tone in the email in which I decided that I did not want to receive any of their "swag", but rather give them some constructive criticism.
I wasn't expecting the blog post to get as noticed as it did, but as it has, I was able to observe great points on both sides of the argument of whether or not I should be received the bug bounty. These discussions were definitely required as they brought out some important issues with bug bounties today and how security issues should really be dealt with.
Prezi, has now both apologised to me and also have offered to pay me for my findings. I have updated my blog post to show this, as well as the emails exchanged between us. I'm glad that it ended this way - all within the last 12 hours.
Initially, I did not redact the developers names, and after the blog post became I had to rush to make sure that I had removed them from all places which were indexed by Google. My intention was not to negatively affect the careers of the Prezi developers affected from my findings.
I thank everyone here, and generally on the internet, for looking closer into my findings.
Thank you, Shubham
They also said that they will release a blog post and they will change the bounty program, so mistakes like this will not happen again (hopefully)
[1] Except for the totally illegal aspect, obviously. And the not-telling-them-their-source-is-open-to-the-world bit.
In a legal sense, they aren't obligated to pay. There are a lot of legal loop holes. By not paying for something that they obviously want to know, they are discouraging other security researchers to disclose "out of scope" holes. To what end?
If you succeed, we will give you cash. That’s right; we’ll pay cold hard currency into your bank account. Think of it as a thank you. (Prezi bug bounty site)
I guess the right way to read this is as a (legal, of course) fuck you.
What’s up with other vulnerabilities? ... we will consider if they are eligible for a bounty or not
What is the bounty? ... we will increase it at our discretion for distinctly creative or severe bugs
Prezi explicitly designed the rules to be flexible, so they could give the award in this case, but decided not to because "intra.prezi.com is out of scope".
The rules about scope appear to exclude vulnerabilities in 3rd-party services such as AWS, not backends, e.g., the backends for our iPad and desktop applications are in scope
The Nexus Repositories URL (http://intra.prezi.com:8081/nexus/content/repositories) is still not restricted
Pay him something outside the bug bounty program. Easy and cheap solution that could've avoided all this mess.
By paying nothing for what could have been sold back to them for a huge sum, they may disaffect hackers, who could do them real harm. You become a sucker to volunteer for their 'bounty', and decide to turn to the dark side instead.
I think Prezi are very silly to be splitting hairs about this. They stuck the stick in the hornets' nest, now they are arguing with the hornets.
Does this mean that Prezi do not value their code and don't believe there would have been any significant loss if that code became public?
Are they saying that the next person that discovers serious flaws in their security should just keep quiet - or sell it on to some hacker, where at least they can make some money from it?
Just what message are the Prezi people trying to send by nit-picking over $500?
How much is worth the vulnerability of having access to all your source code. Just ping me if you're interested.
Still a bad move to have denied him the bounty in the first place, but good to see that they're listening to the outrage.
Do you really think that any extremely motivated hacker would just stick to the arbitrary terms you set.
He will do whatever it takes to get in and by limiting security research you're making yourself vulnerable in other areas not defined in that assessment request.
If cracking an internal service is possible, a bug exploiting it should be within scope of any bounty program.
Nice, nice.
