Interested in going full-time bug bounty? Check out our blueprint!
Oct. 24, 2024

Episode 94: Zendesk Fiasco & the CTBB Naughty List

The player is loading ...
Critical Thinking - Bug Bounty Podcast

Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion Security

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

Resources:

New music drop from our Boi YT

https://x.com/realytcracker/status/1847599657569956099

AuthzAI

https://authzai.com/

Ron Chan

https://x.com/ngalongc

Misconfigured User Auth Leads to Customer Messages

https://www.ophionsecurity.com/post/live-chat-blog-1-misconfigured-user-auth-leads-to-customer-messages

Zendesk Write-up

https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52

Response from Zendesk

https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52?permalink_comment_id=5232589#gistcomment-5232589

Timestamps

(00:00:00) Introduction

(00:05:29) AuthzAI and the return of Ron Chan

(00:13:50) Ophion Security Research

(00:18:12) Zendesk Drama

Transcript

Justin Gardner (00:09.585)
Come on, with me a little bit, Joel, come on.

Justin Gardner (00:17.307)
Dude, it's pretty solid, right? It's pretty good, man. Shout out to our boy, YT, with the new Corsair Captain song he dropped on SoundCloud this week. It pretty good stuff. Let's cut to a longer clip of it. Let's go.

Joel Margolis (00:19.048)
That's pretty good.

Justin Gardner (00:34.501)
then we'll cut in the longer clip here. You know what saying?

OK, solid.

Joel Margolis (00:42.164)
should just leave it like that. No longer clip.

Justin Gardner (00:44.465)
No, Richard, don't do it, Richard. Don't even think about it. No, dude, that was great. Shout out to YT. Dude, I don't know if we've given, you know, we've put in the show notes every week that he did our intro, like, for free, very quickly, and I just so appreciated that. And so I just wanted to give a little extra publicity, just a little.

little extra publicity to his new song. It's a banger for sure.

Joel Margolis (01:16.414)
Yeah, totally.

Justin Gardner (01:17.477)
Some of these lyrics, man. Hold on, let me find. When the sun goes down is when I'm doing all that dirty dirty hacking on the Gibson while I'm chilling with a pretty girly. I love it, dude. yeah, yeah, yeah. Solid, very solid stuff there, All right, dude. When I opened up Twitter this week, well, first of all, for those of you on YouTube, let me just flex this amazing.

Joel Margolis (01:27.86)
I think we can all relate, you know?

Justin Gardner (01:46.171)
hacker tattoo that I've got here that I finished up this week. Looks pretty good, right?

Joel Margolis (01:48.66)
yeah. yeah. Very nice. Yeah dude, I saw the pics. I was surprised, because I knew you'd said that you were gonna do it, but I didn't know when, and then you just did it.

Justin Gardner (02:01.585)
28 hours under the needle,

Joel Margolis (02:04.39)
Yeah, that's a, well it is a full arm sleeve for their, so, forearm sleeve.

Justin Gardner (02:07.119)
Yeah, yeah, forearm, yeah. I still gotta do the backside here, you know, like right here. Because when I'm looking in the mirror, like check this out, know, when I'm looking like this, you can't even barely see I have anything beside the band, right?

Joel Margolis (02:13.832)
Yeah.

Joel Margolis (02:20.134)
Yeah, what's point of having tattoos if you can't see them all the time?

Justin Gardner (02:23.567)
That's what I'm Long sleeves, I've done forever. Always gonna be rolled up now. How long did it take your... Yeah.

Joel Margolis (02:27.86)
It's gonna be the middle of winter Justin's in like short sleeve sleeveless shirt. It's like this weather. these

Justin Gardner (02:34.361)
these?

Joel Margolis (02:39.22)
Yeah, hi. These are my tattoos. I didn't know you saw them.

Justin Gardner (02:40.369)
my gosh. Please tell me I'm not that cringe. How long did it take you to do yours? Because yours is a flash, right?

Joel Margolis (02:46.484)
You

Joel Margolis (02:51.956)
Yeah, mine wasn't too bad. I want to say it was like, I don't know, an hour and a half or something.

Justin Gardner (02:56.401)
An hour and a half, not bad. Yeah, dude, the guy that did my tattoo, Ninjiter, he's actually a hacker as well, and he's sort of retired from tattooing and is just doing hacking stuff now. But he's amazing, man, and he did it very in-depth. And one of the crazy things about this is that it doesn't, like even afterwards, you know how a lot of times when you put the wrap on it or whatever, it will like, the ink will bleed out and it'll like.

So it didn't do that at all. And I'm like, how did you do that? And he's like, man, I don't know. Like a lot of tattoo artists, they just like yeet the ink in there and I just kind of, you know, put it just deep enough. And I'm like, dang dude, that's pretty skilled. So shout out to my boy Ninjeter. Thanks for the tat, man. All right, dude. Now that I've my piece of that, I opened Twitter this week and what do I see?

Joel Margolis (03:27.123)
now that's

Joel Margolis (03:34.482)
Yeah.

Joel Margolis (03:40.18)
That's awesome. That's awesome.

Justin Gardner (03:53.509)
Ronchon, man. Ronchon. You remember our homie? He's back.

Joel Margolis (03:56.434)
he's back how you are around ross women

Justin Gardner (04:00.209)
I'm very excited to see him tweeting some stuff out. he has got a, so for those of you that maybe aren't familiar, because I know he's kind of jumped in and out of the space a little bit, Ron is an amazingly talented hacker. And he was in the live hacking event circuit for a long time and just really impressed all of us that were there. And now he is back on the Bug Bounty Twitter scene with his new startup, AuthZ.ai.

What do you think, man?

Joel Margolis (04:32.56)
It certainly seems really interesting. He made a tweet the other day that was very, very accurate. feel like, where it was basically like, you know, I, the idea is that, you know, you get enough people using your tooling that they go, this is really interesting. Who's making this tooling. And then you, you like contract to the company who's making the tooling to for like pen tests and that kind of stuff. So, I think like that's generally the business model. And I think like,

Justin Gardner (04:46.513)
Mm-mm.

Justin Gardner (04:53.189)
Hmm. Hmm.

Joel Margolis (04:57.46)
When you think about like tooling, it's not, usually it's something that you were already going to be creating. So it's not necessarily a time sync to be creating that tooling and like distributing it for marketing purposes or whatever. It's, you know, it's helpful for your business and it's something that you're already planning on using. So it kind of just like streamlines your process as a business and then also gives you opportunities to flex sort of your capabilities. So I think it's really cool. I like it.

Justin Gardner (05:21.861)
Yeah. Yeah. I think so too. And I think it's a good, it's a good application of AI, right? This whole permission, you know, auth-z permission scheme thing. Like I feel like that's pretty ingestible into AI. And then a lot of what makes that difficult to test for is something that an AI could actually, you know, wrap their head around pretty easily. I think I'm interested to see what this sort of ingestion process for this whole thing is, is, is it going to look like?

And he said he's found some bugs with it already. But just the whole, like you have a, I feel like it'd be really amazing if you could just like somehow provide a screenshot of like the permission matrix or whatever. And somehow like a multimodal AI would grab the data out of there, synthesize it into a format that this can deal with and see what it can find.

Joel Margolis (06:18.116)
Yeah, for sure. seems like, looking at the repo for this, it seems like you give it somewhat of like an open API-esque description of sort of like how your API works and the auth around it and all that kind of stuff, and then it will do the analysis. So it seems really, really cool, and I'm excited to see what other stuff that Ron's going to be creating, because he's super smart and talented and always has lots of good ideas.

Justin Gardner (06:22.438)
Mm-hmm.

Yeah.

Justin Gardner (06:44.901)
Yeah, yeah dude. This is definitely a cool intro. I'm surprised to you, you know, I'm a little, on one hand, I'm a little surprised that this is open source. And I think like you said, you know, it plays to the business model of like, you know, we'll open source this and it will, and it will convert into business for the actual consultancy. But yeah, I feel like the AI stuff right now, it's pretty, it's pretty hot to like make it into a service or something like that that you can use.

And, and, but he decided to open source it, solid, solid.

Joel Margolis (07:17.16)
Yeah. Yeah. Yeah, absolutely. It'll be really interesting to see. I'm still not sure how I feel about the whole AI bubble thing. Like I think it's, it's definitely cooled down a lot. So we'll see what happens. Like I think, you know, as with any new technology, there was sort of that like explosion of new startups and ideas and concepts and all this wow factor stuff. now it's

Justin Gardner (07:31.078)
Mm-hmm.

Justin Gardner (07:40.433)
Mmm.

Joel Margolis (07:41.744)
It's sort of chilled down a little bit to some of the more practical, realistic implementations of it. So yeah, I think it'll be really interesting to see how this progresses.

Justin Gardner (07:46.447)
Mmm. Yeah.

Justin Gardner (07:53.347)
Have you played around much with a one preview and like the whole thinking stuff behind that?

Joel Margolis (07:56.84)
Yeah. Yeah. Yeah. I use that as like whenever I'm doing anything that's like not service level, like, you know, reinterpretation of data or whatever. Like if it's, if I want it to actually like give me something that I'm more confident about the results, I use that one.

Justin Gardner (08:03.153)
Mmm.

Justin Gardner (08:12.239)
Okay, solid. Yeah, that makes sense. just an anecdotal experience, but you know, Ryan and play volleyball and Mariah's team captain and she's responsible for doing the rosters, right? You know, and like putting people at their various spots on the field or whatever, on the court. And she tried to give it to ChatGPT sometimes. She'd be like, all right, this person works well with this person and like, this is our setter and you know, just describe it all and.

Before it just totally failed. It was putting, we play coed, right? So has to be guy, girl, guy, girl, guy, girl. And it was putting guys next to guys and it was like, it was a mess. So I'm interested to see if the O1 preview can do a little bit better on some of those more technical tasks. I think it probably will.

Joel Margolis (09:02.866)
It probably will because like, you know, the whole thinking thing is basically just like using the AI to check the AI, right? Where it like, it'll output something. And I think the natural thought for us is like, if it gets us wrong, why, like, why do I, as a human have to be like, no, you're wrong. And then it'll be like, yeah, you're right. I am wrong. Like it should just do that on its own. And so that's kind of what it's doing where it, it, it'll look retroactively back and be like, here's what I output. Does that make sense? It'll be like, it'll be like, actually, actually that.

Justin Gardner (09:08.749)
Mm-hmm.

Justin Gardner (09:17.446)
Right.

Justin Gardner (09:27.121)
Did you do the thing right? No I didn't. Thinking. That's good.

Joel Margolis (09:32.968)
That doesn't really make sense, so I'm gonna redo it. you know, it's a very sort of natural way of going about it, I think. yeah, I've definitely seen, I think somebody told me the stats are like that on the programming questionnaire or whatever, when they fed it into the 4.0, it was, I think it was like...

Justin Gardner (09:41.425)
Mm.

Justin Gardner (09:52.401)
Mm, mm.

Joel Margolis (09:57.62)
20 % or something or 50 % or something it got through and then when they gave it to O1 it was like 80 % so it was pretty good.

Justin Gardner (10:03.515)
Wow. Dang. I also feel like a lot of the problems that it fails on, it could output code to solve. know, like, if I say output code that calculates the possible iterations of this team's like volleyball structure, then I think it would be able to do that pretty well. But then, you know, if you just ask it to do it, then it's like, well, hole up. Like, so.

Joel Margolis (10:20.008)
Yeah.

Joel Margolis (10:26.866)
Yeah. Yeah. Yeah. It, and I think what you'll notice is if you click it, if you expand stuff, this has happened for a while, but like chat, GPT as a whole uses code to do a lot of what it does. So if you're like, look at this picture and tell me what's going on, it will write a Python script that OCRs it, and then it will run that pipe and then it run that Python script. And if you expand like what it's like thinking about or whatever, it'll, it'll literally just be like writing a Python script. Yeah.

Justin Gardner (10:33.233)
Hmm.

Justin Gardner (10:40.241)
Hmm.

Justin Gardner (10:47.288)
really?

Justin Gardner (10:54.236)
that's cool. That's like the code interpreter thing. Is that that or is it something that I

Joel Margolis (10:57.86)
No, no, this is just like normal. Like if you ask it to do more complex tasks, it will end up just writing us a piece of code that does that task and running that code.

Justin Gardner (11:06.043)
Well, of course, Chad GPT thought of that. That makes sense. I didn't just come up with this crazy idea to like that all of these genius people over at OpenAI didn't come up with. All right, cool. Well, we got a little derailed there, but let's swing back around to this blog post that we wanted to cover this week on Ophian security from our boy, Rogen. And he, dude, I love how Rogen always goes after the...

Joel Margolis (11:09.16)
Yeah.

Justin Gardner (11:34.277)
very fringe parts of a company. Like you never see Rogin just like, yeah, here's an Eidor on dub dub dub, you know? Like, he's always hitting like the ticket system, the live chat system, that sort of thing. And I think this one turned out pretty impactfully for him.

Joel Margolis (11:37.587)
Yeah.

Joel Margolis (11:50.31)
Yeah, yeah, absolutely. He's always doing really cool stuff. I used to work with Rogin and I was just really excited to hear that he was going to start this security company. And the stuff that they've been doing lately in terms of like research and stuff is really, really awesome. So it's very exciting to see.

Justin Gardner (12:04.909)
Mm, yeah. It's a good model, man. Doing quality research and then using that as a lead gen for your.

Joel Margolis (12:14.32)
I mean, it's like, you know, what better way to show that like, you know, you're, you're capable, you have capable security folks by other than doing actual security research. mean, think back to even just how like HackerOne started, like HackerOne's whole business model originally was hack these companies, give them bug reports and be like, Hey, do you want to start a bug bounty program? You know? So yeah, I think that that's sort of like, you know, results by example type stuff is really, really good.

Justin Gardner (12:26.405)
Mm-hmm.

Justin Gardner (12:35.301)
Yeah, here you go.

Justin Gardner (12:42.027)
Mm. Yeah, yeah. I thought you were gonna go with the cake story for Hacker One. Have you heard the Hacker One cake story?

Joel Margolis (12:49.384)
The cake story? I think I'm-

Justin Gardner (12:52.433)
So I think I was talking to Gilbert, or maybe it was one of the other founders at a live hacking event, but he was pretty much saying, in the beginning, one of the ways they would say, one of the ways they would get customers or whatever was like, hey, if we can't hack you, we'll buy your whole office a cake. And then they always hacked them, so it's fine. yeah, I mean, somebody walks into your office is like, cake.

Joel Margolis (13:07.525)
Joel Margolis (13:12.776)
That's such a low risk. Trade offer. We hack you or we send you a cake.

Justin Gardner (13:22.537)
That's pretty good. I like that though. Innovative marketing, you know? I'm gonna go ahead and let me just go ahead and share my screen because I met with our video editor yesterday and he said that I should share my screen more so that you guys can get some stuff on the like some visuals or whatever. Okay, so this is the write-up from from Roshan here and Ophian security and I thought this was a pretty insightful little graphic here.

Joel Margolis (13:26.558)
Yeah, yeah, that's funny.

Justin Gardner (13:51.055)
I don't know if it's big enough to see, if not, we'll make it visible. Essentially, it explains the flow for how some of these live chat authentication systems work. It starts off with the user coming to your website. Essentially, on the back end, it generates an HMAC digest using the user's identifiers and secret key, dumps it back, and then passes that to...

in this example, help shift, but in other scenarios, other live chat services, he said this was a trend he saw across a couple of them, and then that's what is used for authentication. So it's a pretty reasonable flow. The problem with that is that you're leaving a lot of this authentication up to the end user. So what we see from the example that he dropped here is that they were just using this underscore SVPT cookie.

with an email address value in it, and it was just dumping back the actual, you it put the email address in there and it dumped back the auth token. And so, you know, when we're trusting, when we're trusting that end user there, or the end user of the live chat software to deal with that correctly, there's definitely some room for error, especially on these systems that sort of get, I guess, duct taped into the whole flow.

And that really goes back to what the Asset No Team was just talking about a couple weeks ago on their Surfacing Security podcast for these third-party softwares that are taped into your main app are often the weakest point. So I feel like I often overlook these, especially when it's something like this, where it's like, I needed to weed out all of the cookies to find that just this underscore SVPT cookie was what was handling off.

Joel Margolis (15:37.97)
Yeah. Yeah, exactly. Yeah. I mean, I think those integration points are super, super important because it's made to be easy, but that often means that assumptions have to be made to make it easy.

Justin Gardner (15:47.249)
Mm-hmm.

Justin Gardner (15:52.037)
Mm-hmm. Yeah. Yeah. I think so too. So I'm definitely going to make sure I look at these. I've also recently found a vulnerability in the live chat system that affected like www and was pretty gnarly. So I feel like this might be a surface that a lot of people look at and be like third party stuff. I'm not sure I'm going to touch that. You know, it's probably used on a lot of website, but I think it's also an attack surface for a good amount of like if you get a zero day on it, there's a lot of impact.

that can be sprayed across a lot of companies. And so that's a good place for research, I think.

Joel Margolis (16:26.386)
well this is pretty topical I guess because yeah yeah so yeah speaking of hacking through prodies and affecting other companies right so there's this whole zendesk thing so yeah why don't we why don't we talk about that

Justin Gardner (16:29.857)
here we go. Hacking third parties, yep.

Justin Gardner (16:38.737)
Mm.

Justin Gardner (16:43.353)
Okay, all right, we're opening up a can of worms a little bit here. Yeah, dude, I don't know. I mean, this is the main topic for this week, right? And I kind of wish that we had jumped on it a little bit more when it was fresh, right? But I think we'll just, I just wanted to at least mention it and debate it a little bit here because I think there's a lot of nuance to this situation, but the principles apply pretty broadly. And for those of you that aren't familiar with the,

what I'm entitling the Zendesk fiasco. There was a 15-year-old researcher, clearly very skilled, that found a way to, let's just say, pwn Zendesk. It was regarding the email system and being able to leak the contents of any helpdesk ticket. And they reported to Zendesk, and because it has some of those keyword indicators, like,

What was the actual one? Like the email security headers? Yeah, email spoofing, right? 99 % of the vulnerabilities that you get through your bug bounty program that contain email spoofing are gonna be informative or NA, right? But this one was valid, and the team ended up closing it as informative. And the researcher was like, of course, okay, well, if it's not a bug.

Joel Margolis (17:42.269)
Email spoofing.

Justin Gardner (18:05.637)
then I guess I need to tell other companies about this because I think there's risk and maybe they will think of that too. And then it just started raising a bunch of problems for Zendesk because all the third parties were like, whoa, whoa, whoa, whoa, whoa, whoa, whoa, whoa, did you leak all of our internal ticket data? And then Zendesk was having to deal with a fire on their hands. So I don't know, Joel, I know you have a little bit more program side experience than me, so.

Maybe there's some some nuance to the situation I'm missing but this seems like a pretty clear misstep by Zendesk to me

Joel Margolis (18:36.272)
Yeah, so I mean, generally it seems like this entire thing was a pretty bad miscommunication between parties. Like, I don't know if Zendesk uses H1 Triage. I don't know if that was disclosed in the write-up. H1 staff said... Yeah, so they do. Right, so Triage screwed this up.

Justin Gardner (18:52.337)
Yeah, they do. Yeah, so H1 analyst, yeah, Layla was the one that closed the report.

Joel Margolis (19:01.396)
Like they, you know, they said, okay, this is email spoofing. So it didn't even reach the customer team essentially at that, at that point. Right. And then they, I believe the researcher did mediation and then mediation also said, this is spoofing, this is email spoofing. So it's not going to count. and then at that point.

Justin Gardner (19:06.673)
Mm, mm.

Justin Gardner (19:15.761)
Mm-hmm.

Joel Margolis (19:31.668)
I don't think, I understand the research or thought process of, maybe other companies wanna hear about this. So it's been marked as not an issue by the program, so I'm free to report this. I don't know about that one. yeah.

Justin Gardner (19:52.101)
Yeah, what is the correct route for the researcher going forward then, I wonder. Like, if you went through the mediation process, if you tried to get your report re-looked at and they won't do it, what recourse does the researcher have at that point, I wonder?

Joel Margolis (20:07.796)
I mean, I don't know if they necessarily do have recourse. think like the fact that they went around Zendesk afterwards and it happened that companies agreed that they cared about it from an impact perspective, I think is kind of, be honest, more of a luck sort of situation thing than anything. Like realistically, the fact that Zendesk didn't think it was something that needed to be fixed in the beginning also, well.

Justin Gardner (20:11.302)
Mm.

Justin Gardner (20:16.817)
Mm-hmm.

Justin Gardner (20:22.512)
Mm-hmm.

Justin Gardner (20:27.185)
Mmm.

Joel Margolis (20:37.854)
I'm assuming that they had to have that discussion at some point because when you go through mediation, like you're gonna get reached out to directly. So they definitely had to review it at some point. it's unlikely that that's, yeah, like it would be highly unlikely that like the mediation case would have been closed without any interaction from the Zendesk team at all. So they probably had to view it and be like, yeah, okay, this is not something that we're gonna accept. And like the fact that other companies,

Justin Gardner (20:43.823)
Yeah. yeah, when you go through remediation, is the case? OK.

Justin Gardner (20:58.576)
Mm-hmm.

Joel Margolis (21:05.78)
who had Zendesk were like, actually, okay, this is something we want to fix. And it ended up falling sort of upstream back to Zendesk. I think that doesn't always happen. You'll definitely find cases where companies will be like, even if it is something they do care about, they'll be like, well, how are we supposed to fix this? There should be a fix from Zendesk. If there's no fix from Zendesk, then do we need to report to Zendesk? And then as a program manager, I'd be like, well, is this a zero day?

we should be reporting this to Zendesk before it comes to me. So I don't know, I think it all sort of falls back to that initial case of Zendesk being like, this is out of scope for the program. And then when it started coming back in through the customer channels, Zendesk should have reopened the report and said, we are actually gonna fix this and just, they could have handled it that way and it would have been very easy.

Justin Gardner (22:02.289)
Yep.

Joel Margolis (22:03.474)
I think going the route of, you you violated our program terms by reporting this other companies and stuff, like.

Joel Margolis (22:15.451)
not something I would have done.

Justin Gardner (22:17.334)
Okay, wow, that's an interesting approach to it. I think for me, where the buck falls there is that when it was closed as informative and the mediation process ended, I feel like the hacker doesn't have any other recourse at that point besides reporting it to other programs.

Joel Margolis (22:39.166)
Well, it's more so there's this whole concept of implicit agreement, right? where I think a lot of researchers, like the, kind of like to try and ignore this or like think that it doesn't exist from, but from a program side, it's like basically the only like agreement you have with the researcher, which is that when you submit something to a program, you're agreeing to the program's policy in terms and that, you know, you're not, it's going to disclose the details of that vulnerability without the

Justin Gardner (22:44.091)
Mm-hmm.

Justin Gardner (22:48.401)
You

Justin Gardner (22:52.017)
Hmm.

Joel Margolis (23:08.656)
of the program and all that kind of stuff by submitting it, which is why when, if you wanna do a disclosure after 90 days, you should never report it through a bug binding program. You should submit it to their email, right? And I don't think that's groundbreaking knowledge or anything, but that is really the lens that you need to look at it through, which is that you submitted it to the program, which means you're now in a semi-binding agreement with that program about that vulnerability. And you can't.

Justin Gardner (23:09.521)
Mm-hmm.

Justin Gardner (23:17.093)
Yeah.

Justin Gardner (23:34.832)
Mm.

Joel Margolis (23:36.66)
then go turn around and disclose it to other companies without the permission of that program or like, there are certain things and realistically like the re.

Justin Gardner (23:48.933)
I just feel like it's not a vulnerability though at that point, right? Like if they're saying informative or NA, then why is this binding? And I think this might be, and this might be where the rubber hits the road here, this might be an H1 problem with regards to the terms and services, right? Because I think like there should be something that says, hey, if a report is informative or NA, then this is not something that the program is actively.

Joel Margolis (23:52.436)
What?

Joel Margolis (24:01.268)
Yeah.

Justin Gardner (24:16.891)
But then you get into those scenarios where it's like you close something as informative because it's out of scope but it's actually a valid vuln, you know? I don't know.

Joel Margolis (24:23.196)
Right. Yeah. Yeah. So, I mean, it's definitely a little bit on, on both, like again, like H1Triage was the ones who kind of screwed this up initially. And, and then H1Mediation as well, like pushed again, like from, if I was managing the Zendes program and I look through this and I'm seeing all the backlash, I would have reached out to Akro and been like, Hey, what's going on here? Like, I think we probably should have accepted this. Why was this?

Justin Gardner (24:29.605)
Mm-hmm.

Justin Gardner (24:33.221)
Yeah.

Justin Gardner (24:48.177)
Mm-hmm.

Joel Margolis (24:53.308)
decided as email spoofing twice now. you know, just would have been like, in terms of like the agreement stuff, like the policy stuff, I view HackerOne and the programs as sort of like similar to like the US, like federal and state system, right? So like HackerOne is like the federal government in the sense that they set overarching policies and rules and stuff, but the programs themselves can override those just like states can. So.

Justin Gardner (25:11.057)
Mm-mm.

Justin Gardner (25:17.009)
Mm.

Joel Margolis (25:21.76)
In that sense, like a program can say like, we, we don't follow the program guide, the platform standards of XYZ. This is how we handle it. Instead, you're allowed to do that. so I think, you know, Zendesk, like on one hand, hacker one can say like, and they probably do, you're not allowed to report your disclosed vulnerabilities, you know, without permission for the program. and you know, you'd be violating that on the hacker one side and.

Justin Gardner (25:45.553)
Mm.

Justin Gardner (25:53.615)
Yeah, in the response.

Joel Margolis (25:55.828)
Yeah, so in Zendesk's policy, here we go, share the details of reporting, share the details of any suspected vulnerabilities with the Zendesk security team by filing a report. Please do not publicly disclose these details outside of this process with explicit permission. All so the publicly, keyword there, we could go back and forth on that, but I think really what it comes down to is you're not supposed to disclose details of a vulnerability without explicit permission from the security team with anybody in any format, right?

Justin Gardner (26:08.454)
Yeah.

Justin Gardner (26:21.498)
Mm.

Joel Margolis (26:25.212)
whether that's sharing it with your friend or sharing it with a company who's affected or sharing it publicly on a blog. I think like the program team went and they said, we're not gonna fix this. So the researcher to cover their ass, probably should have just commented and said, hey, is it all right if I report this to companies who are affected to see if they want to fix it? And you know.

Justin Gardner (26:50.651)
They disagree, Yeah. And the thing is...

Joel Margolis (26:54.246)
If they say no, then it's like, okay, well, why not? Why aren't you going to fix it? That's like a separate discussion. But I think, you know, if it's like either you fix it or you allow them to, to disclose it to the effective companies and see if it wants to be fixed.

Justin Gardner (27:07.685)
Yeah, yeah. And I think the thing is as well, we didn't actually see the full details of the report that this hacker, hacker Mondev, sent into the Zendesk program. And I'd like to believe that that report was very detailed in showing impact and stuff like that. But I know that this is a tricky situation for HackerOne, right? Like it looks like an email spoofing vulnerability.

Given the nature of Zendesk and how many vulnerabilities there have been relating to email bugs with Zendesk, I would hope that there would be something in writing for the triageurs that are working on that program saying, hey, email-related bugs should take a, we should take an extra look at those on this program because there's been some scary shit that's happened because of that. But it is possible, to give the program the benefit of the doubt,

Joel Margolis (28:01.886)
Yeah.

Justin Gardner (28:05.649)
it is possible that the hacker didn't show excellent impact. The problem is his write-up was really good. And so I really don't think that's the case. And so I definitely think there wasn't a lot of recourse for him. And if I were in his shoes, I probably would have done the same thing. And I went to go and look at that hacker's profile, by the way. he's got like 3,000 rep on HackerOne. So it's not like in a 6.4 signal.

Right, so I feel like this is a misstep by HackerOne. It's not like he's a fresh account, know, first report is like, email's moving, let's go, you know? He's gotta establish track record.

Joel Margolis (28:45.876)
Yeah. Yeah. Cause I don't even think you can do mediation if you have no signal, right? Like there are certain limitations. yeah, I don't know. I, I, again, I think as a whole, like there were multiple missteps in terms of communication and process here. And I'm going to hold my tongue here a little bit in terms of my real feelings, but, you know, I will say like, I think this is a systemic problem with all triage services.

Justin Gardner (28:50.671)
Right. Right.

Justin Gardner (29:03.501)
Mm. Mm-hmm, mm-hmm.

Joel Margolis (29:15.11)
where trying to put a generic puzzle piece into a complex solution tends to fail at scale. And that generic puzzle piece is triage and the complex puzzle is a per program vulnerability validation solution. And when you start having a team of people whose job is to just validate vulnerabilities, it becomes less and less about

Justin Gardner (29:22.373)
Yeah. Yeah.

Justin Gardner (29:39.215)
Mm-hmm.

Joel Margolis (29:44.142)
nuance and context to the program and how to handle specific vulnerabilities for specific programs and more about is this valid? Yes or no checkbox binary one zero. And is it reproducible? Yes. You know, does it fall into these categories in the policy that are out of scope? Yes or no. Right. And it becomes a lot more difficult to make those nuanced decisions at scale. So they don't.

Justin Gardner (29:55.745)
Mm. Mm. Yeah.

Justin Gardner (30:12.325)
Hmm. Yeah, yeah. That's the nature of the beast. And I would have liked to see HackerOne, and maybe they did and I missed it, but I haven't seen it, send out some sort of PR statement on this specific incident because it did get a lot of press. And I would have liked to see them take responsibility for it because at the end of the day, we can see clearly from the write-up that the first triager closing it as

Joel Margolis (30:14.812)
and then you have these problems.

Justin Gardner (30:41.071)
as informative and then the mediation team not fully validating it was a misstep. And I think there's a lot of grace, right? Because it does have that weird, know, like, this is probably not an issue vibe to it, but when you look deeper, it does, right? So if HackerOne had come out and said, hey, our bad, you know, just want to publicly apologize to HackerMondev and say like, hey, we messed up that one.

Joel Margolis (30:57.341)
Yeah.

Justin Gardner (31:08.177)
I feel like most of the community would be like, yeah, we get it, Email bugs, am I right?

Joel Margolis (31:12.052)
Yeah, I think probably the reason that they're kind of just doing non-action here is that Hecarimondev did fine. He made plenty of plenty of from this. His stats are fine. There was one, the root cause instance of this went poorly, but the overall outcomes?

Justin Gardner (31:21.265)
Mm-hmm.

Justin Gardner (31:27.577)
Yeah, yeah.

Justin Gardner (31:31.653)
Yeah.

Joel Margolis (31:41.224)
Fine like what it like they're not gonna pull into the make it right fun for this like he made plenty of money like so it's It's kind of a tricky situation like in terms of process. Yeah, they definitely could have done better That is something I would be interested in seeing is some sort of statement about you know, like if there was a process failure here and whether or not triage should have said yep, this is spam and whether or not mediation should have also said yep, this is spam email spam and or email spoofing

Justin Gardner (31:47.345)
Yeah.

Justin Gardner (32:11.121)
Mm-mm.

Joel Margolis (32:11.38)
And you know just like a some clarity on that I think would be good Just to know whether or not that's what actually went wrong or whether it was you know, just a miscommunication or whatever But otherwise like, know, they're not gonna they don't have anything to really make right in terms of you know Cuz again, it's like there were multiple reports that got resolved got paid out I like on stuff on the affected companies and it's just this one that it's like what informative like it's

Justin Gardner (32:23.665)
Mm.

Justin Gardner (32:33.638)
Mm.

Justin Gardner (32:38.833)
Yeah, yeah. Yeah. I think Nagli, just in sort of agreement with what you're saying, Nagli had a great reply to one of my tweets. says, he was very fortunate that Zendes initially closed this as informative. Otherwise, he would have made one K max instead of 50. Yeah, yeah. And I see that. I see that. I think that's valid. Yeah.

Joel Margolis (32:39.858)
like not even an impact

Joel Margolis (32:57.083)
Exactly, that's not that's exactly right.

Joel Margolis (33:05.416)
Like, I'm not trying to minimize the outrage, because I think, again, it certainly seems from the outset that there was a process problem that something went wrong, and maybe there needs to be more clarity about, maybe there needs to be a specific call out for the triage team doing Zendesk stuff or whatever, I don't know, whatever needs to happen, but it does feel like something went a little wacky there. That being said, yeah, exactly what Nagley said.

Justin Gardner (33:16.145)
Mm.

Justin Gardner (33:23.074)
Mm, mm. Yeah.

Joel Margolis (33:31.036)
Like, one report closes informative equals 50k in values instead, right? So yeah, it could be worse.

Justin Gardner (33:31.217)
Yeah, 50K in bounties. It works out in the end. Yeah, I did reach out to H1 and say, hey, do any of you guys want to come on the pod and talk about this scenario? Because it did blow up a lot. And none of them took me up on it. So we'll see if they send out a statement at some point.

Joel Margolis (33:47.604)
Huh, that's odd.

Joel Margolis (33:56.499)
Yeah.

Justin Gardner (33:56.669)
At the end of the day, I do sort of agree with what you're saying here, is, and what Noddly said as well, which is that in the end it worked out better for him because he got a... Yeah, well I think he also got a lot of good PR out of it too, you know? Like, he's our boy now. Like, if I see this 15-year-old dude, I'm gonna be like, sup dude, like, Zendesk really screwed you on that one, didn't they? But I also think that the response was not great from the Zendesk team either.

Joel Margolis (34:04.114)
I guess HackerOne's PR team is hard at work still.

Joel Margolis (34:13.106)
Yeah.

Yeah.

Yeah.

Justin Gardner (34:25.743)
I feel like at the end of the day, Zendesk, so this is what gets me little riled up, Joel, okay? Like I get HackerOne making mistakes and not taking responsibility for it. I get it. It's a big company now, whatever. It's not our little baby like it used to be back in 2017 or whatever. I think the Zendesk team should have done something differently here because at the end of the day, clearly once they get hit by a bunch of customers saying, hey, fix this, hey, fix this, hey, fix this, now they know it's a problem.

and they go back to this report and they have the audacity to say to this kid, hey, you shouldn't have disclosed this, even though the process failed you, and even though we overlooked this report and said this isn't a valid vulnerability. And so they say, hey, researcher did something ethically wrong, and I don't think that's the case.

Joel Margolis (35:15.732)
Yeah, I mean, I, I, I agree that, that, again, as I said, I wouldn't have handled it that way. Going back and saying like, you broke our policy. Like nobody, literally nobody would have found out about this. If you just were like, sorry, we fucked up here. Here's a, here's a three K bounty resolved. Like,

Justin Gardner (35:22.105)
Yeah.

Justin Gardner (35:35.673)
Exactly.

Yeah. Dude, then he would have been excited. This would have been great for the Zendes team, right? You know, that would have been great.

Joel Margolis (35:45.566)
Please stop reporting it to other customers. Like yeah, I don't know. I feel like, whatever. Again, not how I would have handled the situation. It is what it is. I think there are valuable lessons that have probably been learned from all parties involved. You know, from the researcher's side, like you're, just because a program closes something is informative or whatever, you're not immune, right? Like you still agreed to program terms, you still submitted it to them, that vulnerability still falls under the guidelines of the program and the platform and everything.

Justin Gardner (35:51.099)
So, yeah.

Justin Gardner (35:58.171)
Mm. Yeah.

Joel Margolis (36:14.996)
You're not just off the hook because they said, nah, this isn't something that we're gonna fix. And from the program side, if you're getting a lot of pushback about something, give it little manual look. And from the platform side, like...

Justin Gardner (36:30.032)
Yeah.

Justin Gardner (36:33.531)
or just learn how to say you're wrong. That's the thing that a lot of these, I mean these companies and their companies or whatever and people's careers are probably gonna take a hit or whatever here. So maybe it's a little bit easier for me said on the outside where my mistakes are saying something stupid to my wife versus screwing some hacker out of some money but in a big PR scenario. But I feel like it's not that hard to say, hey, sorry about that, that was my bad.

Joel Margolis (36:35.622)
Yeah, yeah, I dunno. It's not easy, but yeah.

Justin Gardner (37:02.123)
and that's just kind of what I would have expected. And now everybody hates the Zendesk program now. That gist had like, gist, gist? We're not gonna start that. Had like a ton of comments underneath it being like, what is wrong with you guys? Like, wow, this response is garbage. So I think at the end of the day, it really didn't pan out well for Zendesk. I, what Joel, what?

Joel Margolis (37:26.164)
Also, well they left a comment on fucking get hub

Justin Gardner (37:30.746)
Yeah.

Joel Margolis (37:33.694)
Yeah.

Justin Gardner (37:35.121)
I know you're trying your best to be... Come on, let it fly a little bit here Joel, come on. Let your true thoughts fly.

Joel Margolis (37:41.556)
I think Zendesk needs to get the PRT and the hacker one as Because It doesn't think genius to be like Hmm, maybe we shouldn't engage publicly on this like when has that ever panned out? Well, are you kidding me? Like what? Like you literally like there was a public forum where people were commenting and like shitting on you and then you were like, I know let's

Justin Gardner (37:47.845)
Yeah. Interesting way of saying that.

Justin Gardner (37:56.811)
Mm-hmm

Joel Margolis (38:08.052)
engage directly and like commented on it like and then they started getting added by all these people being like no you're wrong like man we just stoked the fire i don't know it's just really i don't know i it definitely feels like the security team is on damage control here not the pr team

Justin Gardner (38:08.953)
Mm-hmm. Yeah.

Justin Gardner (38:27.173)
Yeah, yeah, I agree. Okay, let me run this last thing by you, okay? So when I was reading this and I was all riled up and I was mad for my boy Hacker Mondev here, my 15 year old lead hacker, I was thinking, I feel like Zendesk needs to be punished for this behavior. And I'm thinking it would be interesting to have a list of programs that have notably

treated hackers in a way that doesn't make any sense.

Joel Margolis (38:58.216)
You know, this is really interesting coming from you. Because in like the first two weeks of us starting our Discord, there was a very similar idea that was floated and they were like, what if we have like a reputation list of like bad experiences with programs? And we were like, no, this is a terrible idea because it's literally just gonna create a witch hunt spreadsheet where people are gonna be like, I had a bad experience with this program and then nobody's ever gonna hack on it. Even if the program like management changes or policies change or anything, it's just like.

Justin Gardner (39:01.35)
Why?

Justin Gardner (39:06.651)
Uh-huh.

Justin Gardner (39:26.585)
Okay, my idea has matured since then, Joel. No, no, no, it's matured. And I appreciate you being here to tell me I'm crazy when I'm crazy, and that's fine. I appreciate that. That being said, the idea has evolved a little bit, okay? So this is only, this is a list that is maintained by us, so that will be a little bit of logistical overhead. But there will be only hackers of certain reputation.

Joel Margolis (39:27.76)
It's, it's it's not productive.

Justin Gardner (39:52.731)
can make submissions to this list, hackers that have successfully interacted with programs time and time again and aren't just tilty because they got, you know, hacked up on one program or something like that. And it would also have to come along with a historical reference for the behaviors that they exhibited that are negative towards researchers and a remediation step that the company can do to get their program removed from this list.

And like for example, in this scenario, if Zendesk just paid the bounty and said sorry about that, then everything would be fine.

Joel Margolis (40:26.836)
Okay, but some of that is impo- like, now, what is Zenda supposed to do to get off that list?

Justin Gardner (40:33.545)
They're supposed to say, so we put up the, let's say Zendesk was an entry on the list, we'd say hey, this scenario was really poorly handled, and then they engaged the hacker and they said hey, the vulnerability that you submitted that wasn't a vulnerability that you told other, you told people, no, no, no, Joel, listen, listen, listen.

Joel Margolis (40:50.292)
This is very okay. Listen. I listen I love the energy. This is very closely into blackmail You're just saying you're saying you're saying we're putting you on our bad program list And if you want to get off the bad program list, you have to do what we said

Justin Gardner (40:57.366)
It's not blackmail, it's caring for the community.

Justin Gardner (41:06.705)
I'm just saying, like, I think that this would...

Joel Margolis (41:08.988)
Isn't that... I mean... I mean, I... I think so. I don't know.

Justin Gardner (41:11.644)
Did I just invent blackmail?

Justin Gardner (41:19.249)
Okay, alright, well, thanks for the fact check, Joel. It's just an idea, and I think that it would provide some accountability for programs that are mistreating hackers. And we know that there are programs out there that mistreat hackers, and you and I both know that we have these discords, and people say, hey guys, don't hack on this program because they did XYZ, and then everyone's like, thanks bro, I would never hack on a program that does that. Thanks for the heads up. So why don't we just formalize that?

Joel Margolis (41:21.396)
Yes.

Joel Margolis (41:31.657)
Yeah, I don't know maybe maybe the better

Joel Margolis (41:44.436)
Well, so what I'll say is Yeah, what I'll say is like I think I've had plenty of those experiences myself but for every one of those there's There's also an experience where it's like I had this really bad experience with this program and the person I'm talking to goes really I've never had a bad experience with that program And that happens pretty frequently as well So there's that side of it and the other side is I think

Justin Gardner (41:48.111)
Besides the blackmail component, which I kind of hate.

Joel Margolis (42:14.054)
it would probably be better handled by like an independent third party where like, think the general idea here is that like, it's, if it's no, because we're, we have conflict of interest. I think like the idea is, is mistreatment of hackers. that, definitely happens. Right. and so I think probably the best way to go about that is either the platforms have some sort of an

Justin Gardner (42:20.505)
Are we not the independent third party?

Justin Gardner (42:27.695)
That's a good point.

Justin Gardner (42:38.629)
platform. The freaking platform.

Joel Margolis (42:39.846)
either platform has like an audit committee of some kind where a hacker can say, I feel like I'm being mistreated by this program here. It's somewhat of like a legal system, right? Where they submit a case and they make, here's my evidence or whatever and the program can defend it. I think it's something that could get out of hand, right? So that needs to be handled somehow where if you have a bunch of hackers who get mad at a program or whatever,

Justin Gardner (42:50.512)
Mm-hmm.

Joel Margolis (43:09.884)
Like this program can't be spending a bunch of their time like debating or arbitrating or whatever in the, in the hacker court, like about whether or not they're mistreating hackers. Cause yeah, like, but, you know, I think like some sort of an independent committee or process is probably a better strategy where like, you know, from like a systemic level where you're talking about where like, a program is, is treating hackers poorly.

Justin Gardner (43:15.419)
Yeah.

Justin Gardner (43:19.377)
course, buys domain.

Joel Margolis (43:39.422)
time and time again on multiple instances in similar ways, then that can be addressed from sort of like a platform side where the platform goes, hey, if you want to stay on HackerOne, then you need to either change your policies or, you know.

Justin Gardner (43:54.961)
Yeah, mean, at the end of the day, you're right. I think probably that list is not the best idea. And I think this is best handled at the platform level. And it would be cool if there was an independent third party like hackercourt.com, whoever owns that, let's go, where there was some accountability for that. if the platforms themselves take responsibility for the way that these programs are running, then we won't have that problem.

So I think that there could be a world in which we have a petition system or something like that where if the community says, hey, guys, this is messed up, H1, you need to review this, you need to have some stance on this, and we get 1,000 signatures on it, whatever, then HackerOne's like, all right, look, we'll take it under, we'll have a statement, that sort of thing.

Joel Margolis (44:36.252)
Yeah, like

Joel Margolis (44:42.804)
Yeah, I mean, maybe the strategy is like, maybe not a petition system. Cause again, this can all be like community, like you can rally people and it gets unfair and then you can force things to happen. But like, I think maybe like an anonymous like review, like I think this program is causing problems unjustly. And once they hit a certain threshold of reports of that nature, then there's an investigation that happens like by a human, not just.

Justin Gardner (44:53.882)
Mm-hmm.

Justin Gardner (45:12.901)
Yeah, yeah, or maybe, and maybe this does exist internally at HackerOne, who knows, but it would be great if the hackers had a little bit more introspection into this process. And I think also, this also all rolls back to the thing we've been talking about forever, which is hacker unionization. And I think that this is something that would be, shut up Joel, this is a real conversation, okay? This is something that would.

Joel Margolis (45:13.268)
does this fall into the policy or whatever.

Joel Margolis (45:17.885)
Yeah, I don't know.

Joel Margolis (45:34.748)
Okay

Justin Gardner (45:42.459)
fall under that purview, right? And I don't think it's gonna happen, I don't think it's necessary, but this is something that the...

Joel Margolis (45:49.758)
hackers are gonna strike? Where's our leverage? We're independent contractors.

Justin Gardner (45:52.335)
Well, that's a good point. Yeah, well, I think there's a lot of leverage, it's, yeah, but at the end of the day, there's billions of dollars in companies that are associated with hackers doing what they do. So we do have leverage on the platforms. We don't have as much leverage on the programs, but we do have leverage on the platforms if we say, hey, listen, we're not gonna hack on HackerOne until this.

until this stops, then I think we are at a pretty leveraged point. We are the product.

Joel Margolis (46:29.918)
there we don't pay bills

Justin Gardner (46:34.414)
Yeah, but the programs aren't going to stay on the platform if there's no hackers hacking on the platform, right?

Joel Margolis (46:41.844)
I mean, they can't just up and leave. They got contracts.

Justin Gardner (46:43.151)
Is that? Yeah, they've got like service agreements or whatever. Yeah, so it'd have to be an extended thing is what you're saying.

Joel Margolis (46:52.052)
Yeah, would have to be like minimum probably six months to a year.

Justin Gardner (46:58.137)
Makes sense, dude. Makes sense. All right, well, thanks for the sanity check here. Thanks for holding me down, man. I appreciate that. I think that's a wrap. You got anything else? All right, GG. Peace.

Joel Margolis (46:59.889)
Maybe I be giving you ideas.

Joel Margolis (47:11.156)
but now i think that's it alright peace