I hope he debugged it before returning it
An Australian penetration tester named Shubham Shah has become the latest to complain about bug bounty programs that offer pathetic – or no – rewards. The bounty program in question was run by Prezi, a slideware-as-a-service outfit/ The terms of the program state that only certain “ … domains (and every service accessible on …
Sysadmin: He found a flaw in our security and accessed the crown jewels of the company
MBAA:So what, it wasn't in listed in the rules and we don't have to pay him.
Sysadmin: He could have sold the code to a competitor, inserted trapdoors or actual malware in it.
MBAA: But he didn't (thinks:Because he's weak and trusting. I would have shown no such "mercy.")
Sysadmin: You are kind of an a**ehole aren't you.
MBA has a chat with lobyist to make pen testing illegal even when invited to do so.
Seems more akin to finding a key under your doormat and trying it in the door.
Surely a bug is when things don't operate as intended, rather than simply being operated poorly.