We continue to have internal discussions about whether we should give this guy the $500 reward.
My advice would be to add up the hours of the people who have contributed internally to this discussion and then multiply it by their hourly rate, then try and add in the rough cost of the delay from these people not spending time on their current projects, add a 30% fudge factor for organisational overhead, add on the $500 that you owe anyway, then double the result and pay that, just so you don't feel like doing this again.
To be frank, this isn't some minor display bug, he had access your source.
In other words, this could have ended your company.
He could have sold or leaked it. If naivety is stopping you from grasping the possible consequences, then go ahead and read about Adobe's recent mishap.
Sure, in that possibility, that is very true in that nobody could build a full fledged knockoff product. But, what concepts or features that could result in cheap knockoffs? Designed attacks? Password leaks and user privacy breaches? Customer information that can be sold to competitors? All of the bad PR and loss of business as a result?
You would also have access to their development branches which would give insight into future product features and bug fixes that have not yet been released. The former would be useful information to give to competitors and really put the company into a tough position to compete down the line while the latter could be used to find possible critical holes to exploit.
Who says a competitor has to be the one to exploit security holes? It is much more likely that the source code would be sold on the black market to those who have no qualms about doing this for gain.
This is a no-brainer. Surely the risk of putting off skilled people from your bug bounty program due to the press from this could cost you a lot more than $500.
Bug bounties have a purpose and it is not to generate press or to be an equality outreach program. It is to find bugs.
If the rules are getting in the way of what the organisation is actually trying to use those rules for, then to be a stickler for rules is nuts when the same organisation wrote the rules in the first place and can change them at will.
edit - and if it is neccessary due to corporate legal waffle to always be a stickler for rules, then make a rule that details the protocol for exceptions.
Someone at your company should probably be thinking about Prezi's reputation. That person should probably have a discussion with whomever is running the bounty program.
You should stop talking and you were smart to delete that other comment.
I was wondering about what truly happened but now I get the impression that Prezi is officious and bureaucratic and I wonder what kind of customer support such an organization would offer:
"Our Terms of Service say we are not responsible for your lost data. Have a nice day and here's a T-Shirt."
It seems that he pointed out a security vulnerability in your infrastructure - something you do have control over. And if a vulnerability is found in an external service you use, do you feel that you don't have a responsibility to mitigate the risk posed by the service whether or not you have direct control over it?
