My $.02 on this is that Prezi should have not awarded the researcher the cash under the bug bounty program, however they should have given him a reward anyway. Awarding the money as part of the bug bounty wouldn't be fair play under the rules of that program, but he potentially saved them a TON of money and problems. As such, he should be rewarded somehow. Further, had he been less than honest, he may have been able to leverage the code itself to find more than one $500 bug.
I think Prezi should have done something like this:
* Acknowledge the problem and the seriousness of it
* offer a reward, but not under the bounty, just a "thanks"
* Have him sign an NDA about the source itself, and the specific details of the issue, and the amount of the award
* Allowed him to write up the experience should he choose (good PR for prezi)
* (maybe) offered a contract for the researcher to find more such issues, or announced a different program as a result of it.
The reasoning behind doing it outside the program is that Prezi needs to walk a fine line between saying "just attack everything and we'll pay you!", "we are too process driven for our own good", or they end up getting bad press from people who tried to follow the rules not getting anything, but cheaters are getting paid.
>Further, had he been less than honest, he may have been able to leverage the code itself to find more than one $500 bug.
I'm not sure I agree with this particular argument, it essentially reduces the concept of a bug bounty to blackmail. This mindset is not a constructive one.
The tester should get rewarded for their hard work and helpfulness, not the decision to follow the law.
It was out of scope. The rules are pretty clear: http://prezi.com/bugbounty/ and he broke at least two of them.
And it seems like he knew it was out of scope when he submitted it too: "I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains..."
Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me... but they aren't obligated to. You can put your pitchforks down.
Sometimes people and companies have their heads stuck so far in procedures and policies that they can't see the forests from the trees.
The Finder provided tremendous value by discovering this issues and reporting it responsibly. He certainly should be rewarded with something more substantial than swag.
Would Prezi have preferred that the Finder just not report this issues?
"Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me"
But Shubham did one additional thing, he unintentionally embarrassed a founder. That's the real reason he's not getting paid, everything else is a technicality...
Why even have a limited scope on bounty programs? (This is not the only time I've seen that.) Is it only to limit payout? Are their legal reasons? For example, their client tablet applications are ineligible. I just don't get the reasoning.
In their position, I'd pay him the $500 and remove the idea of scope. I'm just curious if there's some counter-argument I'm not thinking about.
Having these kinds of rules on bug bounty programs is excellent for hackers though.
If I wanted to hack Prezi I now have a lot of very useful information.
1) Prezi is not interested in blocking access to people who already have the ID of the presentation. This is good news since it means I can enumerate the IDs and get access to private presentations - some of which could have useful private data.
2) Prezi is not interested in blocking attacks which enumerate user ids, etc. This is great news - I can get a list of likely email addresses to use later.
3) Prezi disallows any forms of attacks that utilize outside services. That means that while Prezi's core systems have now been nicely screened, other systems are going to be wide open because nobody has bothered to test them properly. This works well with the list of email addresses from above and possibly data obtained from the private presentations above.
EDIT: Just want to add that this shows a very large misconception in the corporate security world. Security is not something you can get a "B - good effort" for. Security is all encompassing. You either get an A+ and the hacker does not get in, or you get an F and your data is gone. There is no middle ground. Putting parts of your security off-limit means you shouldn't have even bothered to begin with.
> Why even have a limited scope on bounty programs?
Theres a few reasons, most of them having to do with managing day to day operations and keeping the business operating, etc. It'd be great to have everything wide open and and getting hammered until anything resembling a vulnerability is found, but that is sadly not really practical in most businesses.
Most bounty hunters aren't using precision. Without a doubt some are very meticulous, but a great many will throw every possible tool/option at their disposal at an application. This is great if it finds bugs, but it can also cause a lot of problems if their script generates a few hundred thousand help desk tickets that put your support/sales team way behind at a crucial times.
Theres also a lot of politics thats come into play. A lot of times these bounty programs have a split fanbase within company management and anything that interrupts the business, causes "bad" PR, and such will be quickly pointed out as reasons why the program should be discontinued.
Bug bounties != pen tests. Penetration testing takes a lot more for teams to work with and get something out of, and honestly a lot of organizations don't get anything out of a pentest. They either get a vuln assessment that a scanner jockey exported to pdf and showed up in a sports coat to present, or if they get an actual pen test by some of the people really doing it they get their ass handed to them so badly they have no idea what to do.
Bounties are to help a company understand the problems they have and get them fixed. Pen testing is about seeing how well you respond when everything goes to hell around you. Smaller orgs being constantly beat down isn't going to let them get a lot done to do anything except put out fires. (beware, physical world analogy ahead) Learning to defend yourself involves working with an instructor, and constantly getting better, not paying someone to whip your ass daily until you can't stand. Some people can work through the latter and become very well adapted to mitigating the attacks, but most will just get beat down and quit.
Maybe Prezi was trying to take a stand by not paying the guy for being out of scope, and thats fine they're certainly dealing with the consequences of that decision, but its completely understandable as to why they'd want some sort of scope to begin with.
Well of course there have to be rules. Does spear phishing employees email accounts and using their password to access control panels count as a bug? I bet I could hack a lot of companies that way. Does being susceptible to a massive DDoS count as a bug? Cutting power to the building?
I can't speak for Prezi, but it seems like they want people to test the security of their app, but not of their employees or back office infrastructure. Maybe you disagree, but it's their bounty and I think those are fair rules.
I can see why they would want to set up rules instead of allowing anything to happen.
For example, if I was to set up a bounty I really wouldn't want people at random contacting current or former clients trying to phish for passwords; I completely understand this is a threat, but I would want to personally manage something like that.
With that said, if something like this was found I'd pay the person. There's a point where you just recognize "Oh shit, that's a big hole, pay the man.".
I think it's ridiculous, I've reported similar "out of scope" bugs and got no bounty for them.
Even worse are the companies that DON'T state any kind of bug bounty or instructions to report a security bug...
I found a data leak issue in one of the web properties of an S&P 500 company last week and I'm not sure if I should report it, because I feel that if misunderstood it could have negative consequences for me; and not having a security contact means I can't be sure the person I'm talking to understands my motives.
Often this is to keep from having to pay out for bugs you can't fix (the most common things to be out of scope are third party services). In this case the problem was actually on Prezi, but I imagine the rule was written to exclude bugs in their version control system from the bounty program.
The only reason I see is if you provide immunity in exchange for following the rules you don't want to allow actions that can degrade your service like DDoSing, online brute forcing, vulnerability scanners, etc.
There should be some neutral third party non-profit that adjudicates bug bounties so that security researchers don't need to worry that their efforts will go to waste.
Companies could sign on to using this third party and pay a fee and put up escrow for the service. This would motivate researchers to find bugs for those companies that utilize the service, knowing payment will be impartial.
A simple option is CrowdCurity - reward programs as a service. Private or public, dollars or bitcoin payments - everything setup and managed for the companies.
What is the gain in setting up a "Can you hack us?" and then make some parts out of scope?! It's not like a black hat hacker would go "Oh well, this isn't their usual domain, so It's not fair" -.-
The only thing this causes is exceptionally bad PR, or even worse for the company; someone just got access and you don't know. Access to source code is like the gold mine of finding an exploit, because you will know exactly where a vulnerability is, and you won't even have to blindly test it.
> What is the gain in setting up a "Can you hack us?" and then make some parts out of scope?! It's not like a black hat hacker would go "Oh well, this isn't their usual domain, so It's not fair" -.-
This suggests that anything less than perfect security is worthless. Which is better, having pentesters look for vulnerabilities in 50% of your surface area, or having pentesters look for vulnerabilities in 0% of your surface area?
Setting up a bug bounty program has a cost, both in terms of processing the data submitted and in potential disruption of the provision of services. This cost will differ from attack vector to attack vector. Having pentesters dress up as utility workers and attempt to sneak into your company offices to install keyloggers will have an extremely high cost in terms of disruption. This cost may be higher than the potential benefit of learning about the company's vulnerabilities in this area.
There are also some attack vectors that may be problematic to allow pentesters to probe due to third-party contracts, data protection laws, compliance issues, etc.
You may disagree with the particular areas a company chooses to define as out-of-scope, but to claim that having any areas off-limits renders the whole enterprise pointless is reductive and incorrect.
Exhibit A of why having a scope for bug bounties is a terrible idea. What is the point of testing your app for esoteric bugs when your entire source code and passwords can be Google dorked?
I'm hp co-founder and CTO of prezi. We learn from our mistakes, we have changed the program: To improve the program from now on we will reward bug hunters who find bugs outside of the scope provided that they do not violate our users’ information and that their report triggers us to improve our code base. We will also retroactively check to see if other reports found issues that fall into this category. More info at engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bugbounty/
"Out of scope". Wow. Even more worthwhile that such a huge out of scope bug was found. These companies seem to try anything to keep from paying bug bounties.
To be fair, there was a scope set, and the author was fully aware of it:
> I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains, with the assistance of google.
While I agree that he most certainly found a "bug" (perhaps flaw would be a better word), it was out of scope. And using credentials from an employee to log in is nearly always out of scope.
Hi, I just thought I would update everyone on my experience and the last 12 hours.
At the time in which I found the bug and was not awarded for it, I was quite upset, evident from my tone in the email in which I decided that I did not want to receive any of their "swag", but rather give them some constructive criticism.
I wasn't expecting the blog post to get as noticed as it did, but as it has, I was able to observe great points on both sides of the argument of whether or not I should be received the bug bounty. These discussions were definitely required as they brought out some important issues with bug bounties today and how security issues should really be dealt with.
Prezi, has now both apologised to me and also have offered to pay me for my findings. I have updated my blog post to show this, as well as the emails exchanged between us. I'm glad that it ended this way - all within the last 12 hours.
Initially, I did not redact the developers names, and after the blog post became I had to rush to make sure that I had removed them from all places which were indexed by Google. My intention was not to negatively affect the careers of the Prezi developers affected from my findings.
I thank everyone here, and generally on the internet, for looking closer into my findings.
Break the rules, don't get the money. Surprise!!?? After reading the entire email thread, I think Prezi comes out better off than the OP:
Actually we're continuously thinking on your case and struggling on the right move. On one hand, your finding was very useful for us, and we learnt a lesson from it. On the other hand, intra.prezi.com is out of scope, and by using the credentials to log in you violated the terms and conditions of our bounty program.
...
In the past we turned down the bounty request of people finding issues in out-of-scope services. We had a lot internal discussions about your request: if we were about to pay, we couldn't justify our out-of-scope decisions for anyone else.
What this guy describes doing (using accidentally exposed credentials to log in to somewhere) is quite a bit more than what other people have been successfully prosecuted for violations of the CFAA for. I'd be careful.
"We're pretty sure your actions were taken in good faith". Ouch, their email response contained barely an iota of gratitude and it was almost on the verge of passing judgement on his character.
So let me get it straight, someone, aware of their bounty program or not, found their closed SOURCE CODE, and is getting a T-Shirt? How much do you value your own source code? at least 10,000$ right? ;) (probably much, much more) who cares about the scope, if someone found my wallet on the street which had 10,000$ in it, I would give them a bit more than a T-Shirt, I would buy them a whole wardrobe.
Think if someone found the source code for Windows / Office / Photoshop, without any bounty program, and responsibly disclosed it to the respective companies. If he didn't walk away with nice amount of money, he could easily just put it in the nearest torrent site* without even feeling guilty (*this is wrong, and illegal, don't do it)
Ignoring the bounty thing for a second, their email response "we think it was in good faith" seems... Not right to me. Am i reading that weird or did they seem pissed about him finding something like that?
He plugged a huge issue for them, and they screw him over due to "scope"... That's their choice, but it still seems bureaucratic to me.
I don't understand why companies start those bug bounties and later try to avoid paying out the rewards. If it were me, I'd book the reward amount as "spent" the minute I decided on a bug bounty hunt.
I think this is (yet another) lesson that participating in these kinds of bounty hunts is very risky and should only be done if the company is reputable (which this one apparently is not).
Seems like Prezi has changed its mind about not paying. Prezi being a Hungarian startup made a buzz in the local media with this story and one of the leader news site reached out to them and got this reply:
"Prezi: Hibáztunk és fizetni fogunk" witch means:
"We made a mistake, we will pay"
They also said that they will release a blog post and they will change the bounty program, so mistakes like this will not happen again (hopefully)
[+] [-] sophacles|12 years ago|reply
I think Prezi should have done something like this:
* Acknowledge the problem and the seriousness of it
* offer a reward, but not under the bounty, just a "thanks"
* Have him sign an NDA about the source itself, and the specific details of the issue, and the amount of the award
* Allowed him to write up the experience should he choose (good PR for prezi)
* (maybe) offered a contract for the researcher to find more such issues, or announced a different program as a result of it.
The reasoning behind doing it outside the program is that Prezi needs to walk a fine line between saying "just attack everything and we'll pay you!", "we are too process driven for our own good", or they end up getting bad press from people who tried to follow the rules not getting anything, but cheaters are getting paid.
[+] [-] AGuyNamedChris|12 years ago|reply
I'm not sure I agree with this particular argument, it essentially reduces the concept of a bug bounty to blackmail. This mindset is not a constructive one.
The tester should get rewarded for their hard work and helpfulness, not the decision to follow the law.
[+] [-] eli|12 years ago|reply
And it seems like he knew it was out of scope when he submitted it too: "I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains..."
Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me... but they aren't obligated to. You can put your pitchforks down.
[+] [-] nowayman|12 years ago|reply
The Finder provided tremendous value by discovering this issues and reporting it responsibly. He certainly should be rewarded with something more substantial than swag.
Would Prezi have preferred that the Finder just not report this issues?
[+] [-] duiker101|12 years ago|reply
[+] [-] woodchuck64|12 years ago|reply
But Shubham did one additional thing, he unintentionally embarrassed a founder. That's the real reason he's not getting paid, everything else is a technicality...
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] toddmorey|12 years ago|reply
In their position, I'd pay him the $500 and remove the idea of scope. I'm just curious if there's some counter-argument I'm not thinking about.
[+] [-] RyanZAG|12 years ago|reply
If I wanted to hack Prezi I now have a lot of very useful information.
1) Prezi is not interested in blocking access to people who already have the ID of the presentation. This is good news since it means I can enumerate the IDs and get access to private presentations - some of which could have useful private data.
2) Prezi is not interested in blocking attacks which enumerate user ids, etc. This is great news - I can get a list of likely email addresses to use later.
3) Prezi disallows any forms of attacks that utilize outside services. That means that while Prezi's core systems have now been nicely screened, other systems are going to be wide open because nobody has bothered to test them properly. This works well with the list of email addresses from above and possibly data obtained from the private presentations above.
EDIT: Just want to add that this shows a very large misconception in the corporate security world. Security is not something you can get a "B - good effort" for. Security is all encompassing. You either get an A+ and the hacker does not get in, or you get an F and your data is gone. There is no middle ground. Putting parts of your security off-limit means you shouldn't have even bothered to begin with.
[+] [-] dpeck|12 years ago|reply
Theres a few reasons, most of them having to do with managing day to day operations and keeping the business operating, etc. It'd be great to have everything wide open and and getting hammered until anything resembling a vulnerability is found, but that is sadly not really practical in most businesses.
Most bounty hunters aren't using precision. Without a doubt some are very meticulous, but a great many will throw every possible tool/option at their disposal at an application. This is great if it finds bugs, but it can also cause a lot of problems if their script generates a few hundred thousand help desk tickets that put your support/sales team way behind at a crucial times.
Theres also a lot of politics thats come into play. A lot of times these bounty programs have a split fanbase within company management and anything that interrupts the business, causes "bad" PR, and such will be quickly pointed out as reasons why the program should be discontinued.
Bug bounties != pen tests. Penetration testing takes a lot more for teams to work with and get something out of, and honestly a lot of organizations don't get anything out of a pentest. They either get a vuln assessment that a scanner jockey exported to pdf and showed up in a sports coat to present, or if they get an actual pen test by some of the people really doing it they get their ass handed to them so badly they have no idea what to do.
Bounties are to help a company understand the problems they have and get them fixed. Pen testing is about seeing how well you respond when everything goes to hell around you. Smaller orgs being constantly beat down isn't going to let them get a lot done to do anything except put out fires. (beware, physical world analogy ahead) Learning to defend yourself involves working with an instructor, and constantly getting better, not paying someone to whip your ass daily until you can't stand. Some people can work through the latter and become very well adapted to mitigating the attacks, but most will just get beat down and quit.
Maybe Prezi was trying to take a stand by not paying the guy for being out of scope, and thats fine they're certainly dealing with the consequences of that decision, but its completely understandable as to why they'd want some sort of scope to begin with.
[+] [-] eli|12 years ago|reply
I can't speak for Prezi, but it seems like they want people to test the security of their app, but not of their employees or back office infrastructure. Maybe you disagree, but it's their bounty and I think those are fair rules.
[+] [-] columbo|12 years ago|reply
For example, if I was to set up a bounty I really wouldn't want people at random contacting current or former clients trying to phish for passwords; I completely understand this is a threat, but I would want to personally manage something like that.
With that said, if something like this was found I'd pay the person. There's a point where you just recognize "Oh shit, that's a big hole, pay the man.".
[+] [-] mpeg|12 years ago|reply
Even worse are the companies that DON'T state any kind of bug bounty or instructions to report a security bug...
I found a data leak issue in one of the web properties of an S&P 500 company last week and I'm not sure if I should report it, because I feel that if misunderstood it could have negative consequences for me; and not having a security contact means I can't be sure the person I'm talking to understands my motives.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] azernik|12 years ago|reply
[+] [-] tlrobinson|12 years ago|reply
That doesn't really apply in this case though.
[+] [-] colinbartlett|12 years ago|reply
Companies could sign on to using this third party and pay a fee and put up escrow for the service. This would motivate researchers to find bugs for those companies that utilize the service, knowing payment will be impartial.
[+] [-] DavidChouinard|12 years ago|reply
[1] http://www.synack.com/
[+] [-] christianh|12 years ago|reply
https://www.crowdcurity.com/
Disclosure: I'm co-founder of CrowdCurity
[+] [-] terhechte|12 years ago|reply
[+] [-] wodow|12 years ago|reply
[+] [-] Systemic33|12 years ago|reply
The only thing this causes is exceptionally bad PR, or even worse for the company; someone just got access and you don't know. Access to source code is like the gold mine of finding an exploit, because you will know exactly where a vulnerability is, and you won't even have to blindly test it.
[+] [-] gabemart|12 years ago|reply
This suggests that anything less than perfect security is worthless. Which is better, having pentesters look for vulnerabilities in 50% of your surface area, or having pentesters look for vulnerabilities in 0% of your surface area?
Setting up a bug bounty program has a cost, both in terms of processing the data submitted and in potential disruption of the provision of services. This cost will differ from attack vector to attack vector. Having pentesters dress up as utility workers and attempt to sneak into your company offices to install keyloggers will have an extremely high cost in terms of disruption. This cost may be higher than the potential benefit of learning about the company's vulnerabilities in this area.
There are also some attack vectors that may be problematic to allow pentesters to probe due to third-party contracts, data protection laws, compliance issues, etc.
You may disagree with the particular areas a company chooses to define as out-of-scope, but to claim that having any areas off-limits renders the whole enterprise pointless is reductive and incorrect.
[+] [-] raverbashing|12 years ago|reply
In the end, everything matters
An out-of-band attack in the datacenter, VPS? Compromise of a developer machine to get inside the network? Social engineering?
in the end, if it caused loss or extraction of service/data, it doesn't matter how it's done.
[+] [-] nikcub|12 years ago|reply
[+] [-] mtrimpe|12 years ago|reply
[+] [-] nowayman|12 years ago|reply
Case closed.
[+] [-] halacsy|12 years ago|reply
[+] [-] ddoolin|12 years ago|reply
[+] [-] gnur|12 years ago|reply
> I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains, with the assistance of google.
While I agree that he most certainly found a "bug" (perhaps flaw would be a better word), it was out of scope. And using credentials from an employee to log in is nearly always out of scope.
[+] [-] infosec_au|12 years ago|reply
At the time in which I found the bug and was not awarded for it, I was quite upset, evident from my tone in the email in which I decided that I did not want to receive any of their "swag", but rather give them some constructive criticism.
I wasn't expecting the blog post to get as noticed as it did, but as it has, I was able to observe great points on both sides of the argument of whether or not I should be received the bug bounty. These discussions were definitely required as they brought out some important issues with bug bounties today and how security issues should really be dealt with.
Prezi, has now both apologised to me and also have offered to pay me for my findings. I have updated my blog post to show this, as well as the emails exchanged between us. I'm glad that it ended this way - all within the last 12 hours.
Initially, I did not redact the developers names, and after the blog post became I had to rush to make sure that I had removed them from all places which were indexed by Google. My intention was not to negatively affect the careers of the Prezi developers affected from my findings.
I thank everyone here, and generally on the internet, for looking closer into my findings.
Thank you, Shubham
[+] [-] j_s|12 years ago|reply
Actually we're continuously thinking on your case and struggling on the right move. On one hand, your finding was very useful for us, and we learnt a lesson from it. On the other hand, intra.prezi.com is out of scope, and by using the credentials to log in you violated the terms and conditions of our bounty program.
...
In the past we turned down the bounty request of people finding issues in out-of-scope services. We had a lot internal discussions about your request: if we were about to pay, we couldn't justify our out-of-scope decisions for anyone else.
[+] [-] nezza-_-|12 years ago|reply
[+] [-] Vivtek|12 years ago|reply
[+] [-] jrochkind1|12 years ago|reply
[+] [-] Vivtek|12 years ago|reply
The Internet isn't just something happening in the United States.
[+] [-] hablahaha|12 years ago|reply
[+] [-] eranation|12 years ago|reply
Think if someone found the source code for Windows / Office / Photoshop, without any bounty program, and responsibly disclosed it to the respective companies. If he didn't walk away with nice amount of money, he could easily just put it in the nearest torrent site* without even feeling guilty (*this is wrong, and illegal, don't do it)
[+] [-] girvo|12 years ago|reply
[+] [-] girvo|12 years ago|reply
He plugged a huge issue for them, and they screw him over due to "scope"... That's their choice, but it still seems bureaucratic to me.
[+] [-] gnu8|12 years ago|reply
[+] [-] alexkus|12 years ago|reply
[+] [-] jwr|12 years ago|reply
I think this is (yet another) lesson that participating in these kinds of bounty hunts is very risky and should only be done if the company is reputable (which this one apparently is not).
[+] [-] DougBTX|12 years ago|reply
[+] [-] pepe_kriek|12 years ago|reply
They also said that they will release a blog post and they will change the bounty program, so mistakes like this will not happen again (hopefully)
[+] [-] randallsquared|12 years ago|reply
[+] [-] jcromartie|12 years ago|reply
[+] [-] err4nt|12 years ago|reply
[+] [-] oijaf888|12 years ago|reply