"Out of scope". Wow. Even more worthwhile that such a huge out of scope bug was found. These companies seem to try anything to keep from paying bug bounties.
To be fair, there was a scope set, and the author was fully aware of it:
> I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains, with the assistance of google.
While I agree that he most certainly found a "bug" (perhaps flaw would be a better word), it was out of scope. And using credentials from an employee to log in is nearly always out of scope.
That said, he could have gone "gray-hat" and used the source to find in-scope bugs. Such a resource would be invaluable to an exploit author or bug bounty hunter.
You're right, but it will still get you into legal trouble. Not only may you not get a bounty, but they might sue or press charges for essentially copying and scanning their source code.
Generally "gray hat" and "corporation/law-friendly" don't mix, even if there are some cases that call for it.
Using login in credentials that are not your own found in a public place to take source code is like finding someones house key on a park bench and coping their secret invention designs or trade secrets.
As I read it, he didn't use the credentials to take the source code; he found the credentials in the source code. He used the credentials merely to verify the credentials were valid.
Define "take" source code. Do you mean "read" or "access" source code? I know this is an aside, but I think we as a community need to be more judicious in our use of criminally-accusatory words, especially when it comes to taking/stealing/theft vs copying vs distributing/selling vs reading/watching/accessing. They're all very, very different things.
You read my post in the ~5 secs widow where it had the word "take." It was the wrong word because in the case I was talking about it would not have deprived Prezi access to their source code.
From Wikipedia, which agrees with my understanding of the phrase: "… such people sometimes act illegally, though in good will, to identify vulnerabilities in computing processes." My point, though, is that it's hardly out of scope when it's a valuable resource for developing novel attacks on in-scope domains.
There should be some neutral third party non-profit that adjudicates bug bounties so that security researchers don't need to worry that their efforts will go to waste.
Companies could sign on to using this third party and pay a fee and put up escrow for the service. This would motivate researchers to find bugs for those companies that utilize the service, knowing payment will be impartial.
A simple option is CrowdCurity - reward programs as a service. Private or public, dollars or bitcoin payments - everything setup and managed for the companies.
You know, you are just harming yourself this way. If you must show your stuff on HN, why not post it as a ShowHN?? why do this dishonorable thing to gain attention? IMO it actually harms you.
Ps: the idea is pretty cool. So is the implementation =) though how would you guys have handled if an issue like this occurs on your platform? A submitter submits a bug but the company refuses to pay for it citing "out of scope" ??
"We're pretty sure your actions were taken in good faith". Ouch, their email response contained barely an iota of gratitude and it was almost on the verge of passing judgement on his character.
It was out of scope. The rules are pretty clear: http://prezi.com/bugbounty/ and he broke at least two of them.
And it seems like he knew it was out of scope when he submitted it too: "I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains..."
Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me... but they aren't obligated to. You can put your pitchforks down.
Sometimes people and companies have their heads stuck so far in procedures and policies that they can't see the forests from the trees.
The Finder provided tremendous value by discovering this issues and reporting it responsibly. He certainly should be rewarded with something more substantial than swag.
Would Prezi have preferred that the Finder just not report this issues?
It's not like they got him on some legalistic technicality. The bug bounty clearly doesn't cover the bug he reported.
And I don't usually go looking for them, but if I come across a security problem (e.g. someone left login credentials unsecured in bitbucket) I would let them know because it's the right thing to do, not because I expect cash.
It's not a technicality, but you're just saying "well, that's the policy" without considering whether the policy is the best way to accomplish certain goals. That's the point.
You're not entitled to a bounty just because you found a bug. Some companies offer these bounties and it's good that they do, but that doesn't mean every company is obliged to offer them, or that a company that offers bounties for some bugs is obliged to offer them for all bugs.
How about a moral obligation? Honestly, it sounds like if a taxi driver returns a bag full of cash to the owner, it is perfectlly alright if they just say "Thank you" and walk him to the road. Legally: nothing wrong, morally: being a greedy asshole.
Frankly if a taxi driver bitched on his blog about someone doing that I'd be saying the same thing. It's nice when someone gives you a reward for doing the right thing. But you shouldn't act like you're entitled to it, because you're not.
> But you shouldn't act like you're entitled to it, because you're not.
Depends where you are. In Germany you are entitled to a finder's fee by law (in the case of the taxi only if the value is > 50€ and only 2.5% instead of the normal 5%)
It should absolutely be in the interest of companies to reward security researchers who find flaws in their systems. Otherwise, they will be screwed by the less scrupulous.
We are talking about different things. Sure it's in the company's best interest, just as it is in the interest of someone that loses their wallet to offer a reward. That said, when nothing is offered up front (possibly because the problem is unknown), to feel entitled to a reward and disgruntled when one isn't offered is not what I would call "moral" behavior, as brought up farther up-thread.
It's moral when you do it because it's obviously the right thing for everyone involved. When there's money involved, that's something else.
Just because you're complaining doesn't mean you feel entitled. If someone is rude to me and I complain about it, and I expressing that I feel entitled to have non-rude interactions with this person? If I post a negative book review am I feeling entitled to a good book?
But is it rude for someone to not monetarily reward you for doing something good? That's what I was replying to up-thread. To feel you deserve compensation for a good deed when there was no prior agreement as such is indeed entitlement.
This thread hasn't really been about the article for a while. It's been about someone feeling that people that don't reward for good deeds are greedy assholes, which I think sets a bad precedent. If you want to incentivize fine, but let's not confuse that with what the right thing to do is.
How about a moral obligation? Honestly, it sounds like if a taxi driver returns a bag full of cash to the owner, it is perfectlly alright if they just say "Thank you" and walk him to the road. Legally: nothing wrong, morally: being a greedy asshole.
That's a false analogy. Taxi drivers are obligated to return lost property, but nobody is obligated to report bugs. That's why you create an incentive to report, i.e., the bug bounty.
Aye! Its not a perfect analogy but I was pointing out why people should reward the guy if he didn't exploit the situation in a wrong way. In this case, it was the whole source available to him. Albeit, he was more or less inclined to report the bug but what if he hadn't and probably sold it somewhere? why shouldn't the company reward for his effort.
I think he means that if we're not holding Prezi ethically responsible to pay the bounty, then we can't then start saying the researcher is ethically bound not to sell the exploit.
Why not sell it? People sell URLs all the time, and bitbucket is clear written intent from the company that they wanted their source control systems accessible to the public else they would not have provided written notice to the world of their passwords.
Surely the creators of the software are competent software experts who fully understood the implications of making their repository public. Surely, they are not asserting that they were so negligent in the performance of their duties as to not check whether the repository would be made public.
Also, they've made numerous written affirmations that the issue found is not a bug, and would not qualify as part of their bug bounty for security flaws.
They are morons and deserve to be hacked because they are negligent and make affirmations that leaving their source control system passwords on public computers is not a security issue worthy of payment. They deem the risk to be so insignificant as to not even be worth $500.
That waives legal responsibility, but I fail to see how it affects ethics/morals. The ethical implications of an action are determined by the community/profession, so if the community agrees that this was unethical, it was.
This is some crazy entitlement culture. If you help someone out, you are not entitled to a reward. If you want a guaranteed reward for your efforts, get a contract first.
As an aside this very thing is an excellent example of how extrinsic motivators can "poison the well" as it supersedes intrinsic motivation. Dan Pink gave a great talk on this -- http://www.youtube.com/watch?v=tJr9QajdCNc (sorry, I prefer the illustrated version).
"Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me"
But Shubham did one additional thing, he unintentionally embarrassed a founder. That's the real reason he's not getting paid, everything else is a technicality...
I don't understand why companies start those bug bounties and later try to avoid paying out the rewards. If it were me, I'd book the reward amount as "spent" the minute I decided on a bug bounty hunt.
I think this is (yet another) lesson that participating in these kinds of bounty hunts is very risky and should only be done if the company is reputable (which this one apparently is not).
The analogies are beside the point. Logging in to a system which you don't have permission to access just is illegal in many countries, whether you think that it ought to be or not.
I don't see how those two statements are consistent with each other. The first says you're trying to judge whether or not the law is reasonable, and the second says that you're not trying to comment on what the law ought to be.
Apparently neither Prezi nor the guy who found the login are American, so this particular law might not apply, but many other countries have similar laws.
I think they acted pretty fairly by pointing out that it's the logging in that they have issue with. Although it's not as satisfying, I think Shubham could have submitted the link and credentials to Prezi without actually accessing the repo. In particular, the report email contains the snippet "... I explored the nexus console to confirm that ..." and I can understand Prezi not wanting to encourage pen testers to explore their systems, even if they find them open to the world.
I don't get how there seems to be absolutely no human side to these cases.
Guy discovers critical vulnerability and could have completely fucked the company over. Instead he responsibly reports it, and he gets back a big fuck you. How can you possibly think that's fair? The fact that it's out of scope only means they should give him an out of scope reward - much higher!
Saying he could have not checked the credentials is a bit silly, because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
And isn't the entire point in bug bounties to encourage pen testers to explore your system? Sure, you don't really want them poking around your source control, but better that than black hats.
All of the above aside. They really couldn't spare $500 for someone who could have caused $millions of damage?
> Guy discovers critical vulnerability and could have completely fucked the company over.
We all frequently have the opportunity to cause damage, but we don't get rewarded for _not_ doing so. I think Prezi may have given the cash reward if the pentester hadn't logged in and browsed around. They probably don't want to set a precedent (take the data you find, get cash reward).
> ... because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
Agreed, but either way the pentester won't be able to fix it. All he can do is report his findings.
> ... but better that than black hats.
Agreed, but if you stray outside the terms of the bounty then you're no longer guaranteed the rewards. I think the pentester tried his best to report responsibly but I don't think Prezi are obligated to give the reward, based on the terms.
This seems to be key. Did he just verify the credentials, or did he poke around thereafter? If the latter, Prezi has a better case but they should have stated it more clearly.
> "Anyways, they did try and get it right, by emailing me an apology as well as responding to my constructive criticism. This blog post, is by no means attempting to discourage people from participating from Prezi’s bug bounty, but rather just a blog post about how finding Prezi’s source code was not eligible for their bug bounty."
Passive aggressive much?
I think he should have got a bounty -- if not the official one, then a special, bigger one. However, this is an odd way to conclude the post. "Oh, I'm not at all trying to discourage others for participating, oh no no". Of course he's trying to discourage others. With justification. I don't get it.
Oh I see. You mean like, "Here's my experience; I decided to stop participating. But I'm not advising you to. Offer not valid in all areas. Yada yada..."
I think he's just being humble: he disagrees with their policy, but isn't claiming that everyone else should just because he does--make your own decision. Fair enough.
Exhibit A of why having a scope for bug bounties is a terrible idea. What is the point of testing your app for esoteric bugs when your entire source code and passwords can be Google dorked?
Ignoring the bounty thing for a second, their email response "we think it was in good faith" seems... Not right to me. Am i reading that weird or did they seem pissed about him finding something like that?
He plugged a huge issue for them, and they screw him over due to "scope"... That's their choice, but it still seems bureaucratic to me.
They're talking about viewing the source code and testing the login. The author could have just reported the leaked credentials and not logged on. Testing them especially since it wasn't part of the program falls under potentially extremely malicious.
What this guy describes doing (using accidentally exposed credentials to log in to somewhere) is quite a bit more than what other people have been successfully prosecuted for violations of the CFAA for. I'd be careful.
Really? According to this monograph even logging into a non-password-protected wifi network which doesn't belong to you has been treated as a case of theft in Hungary:
One wonders if he wouldn't have been better[1] off downloading their app source, and using that to find 'in-scope' vulns much easier than everyone else. They might catch on if you're too effective though. Maybe a spot of plausible parallel construction.
[1] Except for the totally illegal aspect, obviously. And the not-telling-them-their-source-is-open-to-the-world bit.
So let me get it straight, someone, aware of their bounty program or not, found their closed SOURCE CODE, and is getting a T-Shirt? How much do you value your own source code? at least 10,000$ right? ;) (probably much, much more) who cares about the scope, if someone found my wallet on the street which had 10,000$ in it, I would give them a bit more than a T-Shirt, I would buy them a whole wardrobe.
Think if someone found the source code for Windows / Office / Photoshop, without any bounty program, and responsibly disclosed it to the respective companies. If he didn't walk away with nice amount of money, he could easily just put it in the nearest torrent site* without even feeling guilty (*this is wrong, and illegal, don't do it)
But.. that can be said about any java (jar) programs class files. It is also not difficult to decipher the asm of a disassembled exe file, but to equate that with finding the source code of the program would be disingenuous.
Decompilation of executable C files is much less accurate and usable than decompilation of Java class files, which usually produce verbatim Java source code. I don't know if source was or wasn't directly disclosed here, but if they leaked vanilla Java class files, that's basically equivalent to their source code.
You can drag drop that jar file into http://jd.benow.ca/ and in two clicks you have 100% of the source code, variable names and all. It's not the same as decompiling an C executable by any means.
I don't know of enough places that use Nexus to say whether it is common practice or not, however we do not bundle jar files with sources at my place of employment where we do use Nexus. If we wanted to bundle sources into jar that would have to be done so explicitly, as it would require something like mavens source plugin. In fact in maven the standard seems to be to include sources in a separate jar, if one wants to publish the sources i.e. again requiring explicit choice and configuration.
It would have been easy for him to steal the source code and blackmail them for bitcoins... companies are encouraging others to turn to the dark side by not giving fair rewards. I'm pretty sure there are lots of smart people living in difficult economic conditions who will now think twice before reporting a serious vulnerability at the risk of an unfair reward. If Synack can solve this it would be a major win for everyone.
Are bug bounties roughly the market value of security holes in software? I wonder if this guy or less scrupulous developers could make more for them on the black market?
If the exploits are for the right targets, you bet they're worth more on the black market, but with great reward comes great risk: now you're doing something that can possibly get you jail time.
So the question I haven't seen asked in this thread is: Why is anyone still using something other than SSH to connect to their version control system? Why is any software still using usernames and passwords stored in plain text anywhere? With SSH, you create SSH key pairs and set a passphrase on the private key... which shouldn't end up in any public place, ever.
Well the credentials in the properties file shouldn't have ended up in a public place ever. So if you replace username/password with a key, a human can still accidentally publicize the key.
Having stringent terms for a bug bounty program basically means you're trying to get the community to do your team's job. Agree with @nikcub - it should be wide open, because finding this out was huge, no matter how "simple" it may have been.
What is the gain in setting up a "Can you hack us?" and then make some parts out of scope?! It's not like a black hat hacker would go "Oh well, this isn't their usual domain, so It's not fair" -.-
The only thing this causes is exceptionally bad PR, or even worse for the company; someone just got access and you don't know. Access to source code is like the gold mine of finding an exploit, because you will know exactly where a vulnerability is, and you won't even have to blindly test it.
> What is the gain in setting up a "Can you hack us?" and then make some parts out of scope?! It's not like a black hat hacker would go "Oh well, this isn't their usual domain, so It's not fair" -.-
This suggests that anything less than perfect security is worthless. Which is better, having pentesters look for vulnerabilities in 50% of your surface area, or having pentesters look for vulnerabilities in 0% of your surface area?
Setting up a bug bounty program has a cost, both in terms of processing the data submitted and in potential disruption of the provision of services. This cost will differ from attack vector to attack vector. Having pentesters dress up as utility workers and attempt to sneak into your company offices to install keyloggers will have an extremely high cost in terms of disruption. This cost may be higher than the potential benefit of learning about the company's vulnerabilities in this area.
There are also some attack vectors that may be problematic to allow pentesters to probe due to third-party contracts, data protection laws, compliance issues, etc.
You may disagree with the particular areas a company chooses to define as out-of-scope, but to claim that having any areas off-limits renders the whole enterprise pointless is reductive and incorrect.
> This suggests that anything less than perfect security is worthless. Which is better, having pentesters look for vulnerabilities in 50% of your surface area, or having pentesters look for vulnerabilities in 0% of your surface area?
Is this supposed to be rhetorical?
Say you buy a really good front door for your house, and forget to put a back door on your house. I would say that testing the security of the front door is a waste of time.
You should read the rest of that post instead of stopping at the point you quoted. I think he makes a good point: There are real costs associated with expanding security, and there are points at which those costs can become unreasonably high.
I think your point is too extreme. Locking your front door is most definitely NOT a waste of time, because with that move alone, you've automatically protected yourself against the subset of attackers who don't think to try the back door. Are you still vulnerable? Yes, of course. But decidedly less so. As the OP said, 50% is better than 0%.
The real conversation that should be taking place is not whether or not a limited scope should exist (it should), but how far that scope should extend given the costs of extending it.
265 comments
[ 5.3 ms ] story [ 292 ms ] thread> I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains, with the assistance of google.
While I agree that he most certainly found a "bug" (perhaps flaw would be a better word), it was out of scope. And using credentials from an employee to log in is nearly always out of scope.
I thought the whole point of gray hat is that it's possibly illegal, but not downright "evil".
i.e. Stealing source code to fix bugs = gray, stealing source code to steal credit card info = black
Generally "gray hat" and "corporation/law-friendly" don't mix, even if there are some cases that call for it.
Until he contacted Prezi, how could he be certain beyond any doubt that they weren't already aware of it? Could you explain that to me?
https://en.wikipedia.org/wiki/Grey_hat
Companies could sign on to using this third party and pay a fee and put up escrow for the service. This would motivate researchers to find bugs for those companies that utilize the service, knowing payment will be impartial.
[1] http://www.synack.com/
https://www.crowdcurity.com/
Disclosure: I'm co-founder of CrowdCurity
Ps: the idea is pretty cool. So is the implementation =) though how would you guys have handled if an issue like this occurs on your platform? A submitter submits a bug but the company refuses to pay for it citing "out of scope" ??
And it seems like he knew it was out of scope when he submitted it too: "I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains..."
Now I think Prezi should probably have paid him anyway because that's a pretty boneheaded error and I'd be very grateful if someone politely pointed it out to me... but they aren't obligated to. You can put your pitchforks down.
The Finder provided tremendous value by discovering this issues and reporting it responsibly. He certainly should be rewarded with something more substantial than swag.
Would Prezi have preferred that the Finder just not report this issues?
And I don't usually go looking for them, but if I come across a security problem (e.g. someone left login credentials unsecured in bitbucket) I would let them know because it's the right thing to do, not because I expect cash.
Depends where you are. In Germany you are entitled to a finder's fee by law (in the case of the taxi only if the value is > 50€ and only 2.5% instead of the normal 5%)
If not, I am amazed by your naïveté.
It's moral when you do it because it's obviously the right thing for everyone involved. When there's money involved, that's something else.
This thread hasn't really been about the article for a while. It's been about someone feeling that people that don't reward for good deeds are greedy assholes, which I think sets a bad precedent. If you want to incentivize fine, but let's not confuse that with what the right thing to do is.
How about a moral obligation? Honestly, it sounds like if a taxi driver returns a bag full of cash to the owner, it is perfectlly alright if they just say "Thank you" and walk him to the road. Legally: nothing wrong, morally: being a greedy asshole.
Edit: Fixed truncated second paragraph.
"Taxi drivers and owners must return property they find in a taxicab." - http://www.nyc.gov/html/tlc/html/passenger/sub_lost_prop_inq...
Further: Money doesn't have any owners. Only spenders.
Double standards.
Why not sell it? People sell URLs all the time, and bitbucket is clear written intent from the company that they wanted their source control systems accessible to the public else they would not have provided written notice to the world of their passwords.
Surely the creators of the software are competent software experts who fully understood the implications of making their repository public. Surely, they are not asserting that they were so negligent in the performance of their duties as to not check whether the repository would be made public.
Also, they've made numerous written affirmations that the issue found is not a bug, and would not qualify as part of their bug bounty for security flaws.
They are morons and deserve to be hacked because they are negligent and make affirmations that leaving their source control system passwords on public computers is not a security issue worthy of payment. They deem the risk to be so insignificant as to not even be worth $500.
But Shubham did one additional thing, he unintentionally embarrassed a founder. That's the real reason he's not getting paid, everything else is a technicality...
I think this is (yet another) lesson that participating in these kinds of bounty hunts is very risky and should only be done if the company is reputable (which this one apparently is not).
You did not enter the house you did not explore. You turned the key, the knob, and made sure the door would open a little.
Not something I would recommend, especially since the key had the address and the owner name and address attached to it.
But not as bad as someone entering the home and looking around.
It helps decide weather or not the legal response if any is reasonable.
> whether you think that it ought to be or not.
I was not trying to comment on what I think ought to be.
I am trying to make that judgment and help others to do so.
> and the second says that you're not trying to comment on what the law ought to be.
If I am trying to make a judgment, if I am in the process of reasoning through something I do not know what something ought to be.
Good analogies are those that help people reason through a problem and come to the correct conclusion, not a tool to sway people to your opinion.
https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(...
Apparently neither Prezi nor the guy who found the login are American, so this particular law might not apply, but many other countries have similar laws.
They absolutely didn't.
I don't get how there seems to be absolutely no human side to these cases.
Guy discovers critical vulnerability and could have completely fucked the company over. Instead he responsibly reports it, and he gets back a big fuck you. How can you possibly think that's fair? The fact that it's out of scope only means they should give him an out of scope reward - much higher!
Saying he could have not checked the credentials is a bit silly, because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
And isn't the entire point in bug bounties to encourage pen testers to explore your system? Sure, you don't really want them poking around your source control, but better that than black hats.
All of the above aside. They really couldn't spare $500 for someone who could have caused $millions of damage?
We all frequently have the opportunity to cause damage, but we don't get rewarded for _not_ doing so. I think Prezi may have given the cash reward if the pentester hadn't logged in and browsed around. They probably don't want to set a precedent (take the data you find, get cash reward).
> ... because if the credentials were invalid (quite likely), it goes from CRITICAL to MINOR.
Agreed, but either way the pentester won't be able to fix it. All he can do is report his findings.
> ... but better that than black hats.
Agreed, but if you stray outside the terms of the bounty then you're no longer guaranteed the rewards. I think the pentester tried his best to report responsibly but I don't think Prezi are obligated to give the reward, based on the terms.
This seems to be key. Did he just verify the credentials, or did he poke around thereafter? If the latter, Prezi has a better case but they should have stated it more clearly.
Passive aggressive much?
I think he should have got a bounty -- if not the official one, then a special, bigger one. However, this is an odd way to conclude the post. "Oh, I'm not at all trying to discourage others for participating, oh no no". Of course he's trying to discourage others. With justification. I don't get it.
Case closed.
He plugged a huge issue for them, and they screw him over due to "scope"... That's their choice, but it still seems bureaucratic to me.
The Internet isn't just something happening in the United States.
http://books.google.ca/books?id=ZjBvpN0zZNkC&lpg=PA33&ots=Uq...
Not exactly the same situation, but it suggests that the law is fairly strict.
[1] Except for the totally illegal aspect, obviously. And the not-telling-them-their-source-is-open-to-the-world bit.
None of this happened in the United States at all - it's amazing! Non-Americans also have businesses!
Think if someone found the source code for Windows / Office / Photoshop, without any bounty program, and responsibly disclosed it to the respective companies. If he didn't walk away with nice amount of money, he could easily just put it in the nearest torrent site* without even feeling guilty (*this is wrong, and illegal, don't do it)
The only thing this causes is exceptionally bad PR, or even worse for the company; someone just got access and you don't know. Access to source code is like the gold mine of finding an exploit, because you will know exactly where a vulnerability is, and you won't even have to blindly test it.
In the end, everything matters
An out-of-band attack in the datacenter, VPS? Compromise of a developer machine to get inside the network? Social engineering?
in the end, if it caused loss or extraction of service/data, it doesn't matter how it's done.
This suggests that anything less than perfect security is worthless. Which is better, having pentesters look for vulnerabilities in 50% of your surface area, or having pentesters look for vulnerabilities in 0% of your surface area?
Setting up a bug bounty program has a cost, both in terms of processing the data submitted and in potential disruption of the provision of services. This cost will differ from attack vector to attack vector. Having pentesters dress up as utility workers and attempt to sneak into your company offices to install keyloggers will have an extremely high cost in terms of disruption. This cost may be higher than the potential benefit of learning about the company's vulnerabilities in this area.
There are also some attack vectors that may be problematic to allow pentesters to probe due to third-party contracts, data protection laws, compliance issues, etc.
You may disagree with the particular areas a company chooses to define as out-of-scope, but to claim that having any areas off-limits renders the whole enterprise pointless is reductive and incorrect.
Is this supposed to be rhetorical?
Say you buy a really good front door for your house, and forget to put a back door on your house. I would say that testing the security of the front door is a waste of time.
I think your point is too extreme. Locking your front door is most definitely NOT a waste of time, because with that move alone, you've automatically protected yourself against the subset of attackers who don't think to try the back door. Are you still vulnerable? Yes, of course. But decidedly less so. As the OP said, 50% is better than 0%.
The real conversation that should be taking place is not whether or not a limited scope should exist (it should), but how far that scope should extend given the costs of extending it.