Hacker News new | ask | show | jobs
by count 3282 days ago
You should look again:

https://slack.com/security
1 comments
falcolas 3282 days ago
OK: Slack is not currently a PCI-certified Service Provider.

I was also a bit surprised what they consider out of scope for their bug bounty program: https://hackerone.com/slack

link
count 3282 days ago
I can't begin to fathom a use case for slack where you would put card data in the system...
link
fweespeech 3282 days ago
You've never met a call center.

They've sent bug reports with credit card data they've typed in during a phone call through a variety of insecure methods.

They've also written people's credit card info on sticky notes.

Trust me, the horror that is card data and a call center is scary.

link
falcolas 3282 days ago
How about a bug report screen shot? Lots of non-security conscious users don't understand why this could be bad. It's your (making the assumption that "you" in this case is a Slack Administrator) job to protect them from themselves.
link
bogomipz 3282 days ago
The use case is user error. I have also seen no shortage accidentally people paste passwords into Slack as well
link