
$50K at 15: Zendesk Bug Bounty Drama, White Hats & Weak Links
From SEEK Bytes by SEEK
April 8, 2025 · 29 min · Season 2 · Episode 37
About this episode
This episode discusses a 15-year-old hacker's discovery of a significant bug in Zendesk and the ensuing ethical and security implications.
What happens when a 15-year-old hacker quietly discovers a single bug that touches over half of the Fortune 500, chains it into a Slack takeover, and walks away with $50K in bug bounties – only for the original vendor to refuse to pay? In this episode of SEEK Bytes, we break down Daniel’s Zendesk exploit, the ethics of disclosure, and what “white hat” really means in practice. We unpack how a “basic” support inbox (support@company.com), misconfigured SSO and email spoofing turned into a way to join internal tickets, steal Slack access and read sensitive conversations – all via a third-party tool many enterprises barely think about. We also dig into how bug bounty programs work, why Zendesk’s scope call sparked controversy, and how SEEK runs security exercises to stay ahead of attackers. In this episode you’ll learn: • How the exploit actually worked end-to-end – from Zendesk ticket IDs and CC’ing yourself onto “internal” threads, to chaining Apple/Google OAuth and Slack login for access to private workspaces. • Why the bug bounty outcome was so controversial – how email-spoofing being “out of scope” left Daniel unpaid by Zendesk, and what this means for incentivising white-hat…
People in this episode
Host: SEEK
Guest: Daniel
Topics covered
- bug bounty
- hacking
- cybersecurity
- ethical disclosure
- white hat
- security vulnerabilities
Keywords
- bug bounty
- Zendesk exploit
- white hat
- email spoofing
- security exercises
- Slack takeover
- Fortune 500
- vulnerabilities
- third-party tools
Mentioned in this episode
Organizations: Zendesk, Apple, Google, Slack
More episodes of SEEK Bytes
- Responsible AI: Bias, Blind Spots & Big Risks (with Sreyna Rath) · June 9, 2026 · 31 min
- PERL: The Smart AI Workflow · June 2, 2026 · 31 min
- Vibe Coding with AI: Non-Developers building apps (with Helen Giapitzakis) · May 26, 2026 · 53 min
- New AI Tools, Same Old Bugs? The crew react to the Next Wave · May 19, 2026 · 42 min
- OpenClaw: Build your own AI Agent workforce (without getting burnt) · May 12, 2026 · 35 min
- NX Supply Chain Attack Explained (with Trevor Kilvington) · May 5, 2026 · 38 min
Explore listener stats, chart rankings, contacts and more on the SEEK Bytes podcast page.