Engineering at Prezi

A Bug in the Bugbounty (Updated)

One of Prezi’s key values has always been that we learn from our mistakes.

The Mistake

A few months ago, we launched a Bug Bounty Program. And because of this program, everyone who uses Prezi is now enjoying a more secure experience. It’s not just us that has benefitted–Bug hunters around the world have enjoyed financial reward for every bug that was within the scope of the program, and we’ve paid out more than $13,000 so far.

We recently had a bug pointed out to us by a security researcher (Shubham Shah) that was outside the scope of the program. He found a problem, something that prompted us to change our code base, and we are grateful. We should have shown our appreciation, even though it was outside the program scope. We have already reached out to Shubham to offer both a deserved financial reward and an apology.

The Learning

The program will continue with a limited scope for now, because these subdomains are the high priority areas identified that will make Prezi more secure for everyone that uses it. The scope also gives legal protection to any hacker who tests the security of Prezi without hurting the integrity of our users’ information. We absolutely don’t want to encourage people to stray outside of the scope.

However, to improve the program, we will now reward bug hunters who find bugs outside of the scope provided that they do not violate our users’ information and that their report triggers us to improve our code base. We will also retroactively check to see if any other report found issues that fall into this category, and we will pay the people who submitted those reports.

We’ll add more to the scope as the program continues, but we did not want to wait to get started with the bounty hunt until all areas were covered. We thought it more important to deliver value to the people using Prezi as quickly as possible. We achieved that goal as most issues reported were fixed within 24 hours.

We have let down someone from the very community that we reached out to with this program, we’re sorry for that, and will endeavour to do better in the future.