$50K at 15: Zendesk Bug Bounty Drama, White Hats & Weak Links

$50K at 15: Zendesk Bug Bounty Drama, White Hats & Weak Links

From SEEK Bytes by SEEK

April 8, 2025 · 29 min · Season 2 · Episode 37

About this episode

This episode discusses a 15-year-old hacker's discovery of a significant bug in Zendesk and the ensuing ethical and security implications.

What happens when a 15-year-old hacker quietly discovers a single bug that touches over half of the Fortune 500, chains it into a Slack takeover, and walks away with $50K in bug bounties – only for the original vendor to refuse to pay? In this episode of SEEK Bytes, we break down Daniel’s Zendesk exploit, the ethics of disclosure, and what “white hat” really means in practice. We unpack how a “basic” support inbox (support@company.com), misconfigured SSO and email spoofing turned into a way to join internal tickets, steal Slack access and read sensitive conversations – all via a third-party tool many enterprises barely think about. We also dig into how bug bounty programs work, why Zendesk’s scope call sparked controversy, and how SEEK runs security exercises to stay ahead of attackers. In this episode you’ll learn: • How the exploit actually worked end-to-end – from Zendesk ticket IDs and CC’ing yourself onto “internal” threads, to chaining Apple/Google OAuth and Slack login for access to private workspaces. • Why the bug bounty outcome was so controversial – how email-spoofing being “out of scope” left Daniel unpaid by Zendesk, and what this means for incentivising white-hat…

People in this episode

Host: SEEK

Guest: Daniel

Topics covered

  • bug bounty
  • hacking
  • cybersecurity
  • ethical disclosure
  • white hat
  • security vulnerabilities

Keywords

  • bug bounty
  • Zendesk exploit
  • white hat
  • email spoofing
  • security exercises
  • Slack takeover
  • Fortune 500
  • vulnerabilities
  • third-party tools

Mentioned in this episode

Organizations: Zendesk, Apple, Google, Slack

More episodes of SEEK Bytes

Explore listener stats, chart rankings, contacts and more on the SEEK Bytes podcast page.