$50K at 15: Zendesk Bug Bounty Drama, White Hats & Weak Links

What happens when a 15-year-old hacker quietly discovers a single bug that touches over half of the Fortune 500, chains it into a Slack takeover, and walks away with $50K in bug bounties – only for the original vendor to refuse to pay? In this episode of SEEK Bytes, we break down Daniel’s Zendesk exploit, the ethics of disclosure, and what “white hat” really means in practice. We unpack how a “basic” support inbox ([email protected]), misconfigured SSO and email spoofing turned into a way to join internal tickets, steal Slack access and read sensitive conversations – all via a third-party tool many enterprises barely think about. We also dig into how bug bounty programs work, why Zendesk’s scope call sparked controversy, and how SEEK runs security exercises to stay ahead of attackers. In this episode you’ll learn: • How the exploit actually worked end-to-end – from Zendesk ticket IDs and CC’ing yourself onto “internal” threads, to chaining Apple/Google OAuth and Slack login for access to private workspaces. • Why the bug bounty outcome was so controversial – how email-spoofing being “out of scope” left Daniel unpaid by Zendesk, and what this means for incentivising white-hat behaviour vs pushing hackers towards greyer choices. • Practical security takeaways for engineers – the real risk of “weakest link” third-party tools, why internal channels are goldmines for social engineers, and how separation of concerns and well-designed bounties can protect both your systems and your customers. Whether you’re in software engineering, security, cloud, support, architecture or IT leadership, this episode is a gripping case study in modern attack chains, bug bounty programs and why “it’s just email” or “it’s just a ticketing tool” is never the whole story. 👍 Follow the SEEK Bytes podcast so you never miss a new episode