Yes, I think bounties in this class and with this impact should at least be six figures.

If a company loses 120 million a year to security bounties, they will take into account the cost of scrumming/rapid widget delivery.

Would love to see the parts of the market where you've marked off every current option, given each would represent new business opportunities.

Probably any SK company. Bounties are awful and only paid out to SK citizens. Everyone else gets a pat on the back for being a sucker.

HackerOne’s mediator dropped the ball here

They should absolutely inform a client company of a perceived threat, when they agree on the threat

Most of the person’s post and responses here are about Zendesk’s issue, but Zendesk was never informed

for a better PR response, I think now Zendesk could reward this after realizing it wouldnt have been disclosed first, and admonish HackerOne for not informing them and the current policies there

This is pretty common on H1, probably due to the amount of crap they receive.

If you are a new user expect your first couple reports to be butchered. It seems to me only reports from well known hackers gets carefully analysed.

> Most of the person’s post and responses here are about Zendesk’s issue, but Zendesk was never informed

It's not clear whether they were informed. The mediator's email says "after consultations with *the team*", which is likely referring to Zendesk's security team.

It anyways took Zendesk several months to fix the issue and they also didn’t acknowledge the author with what should be a very sizeable bounty. It’s not every day that someone tries to warn you about a massive security hole and then goes out of their way to warn your clients for you because you ignored them.

Zendesk was informed. OP specifically said they asked h1 to escalate to the company itself and the second email they present way from someone from Zendesk, who still rejected them, adding that this decision was made “after consulting with the team”.

Good catch