[gorgoiler]

$1750 for that?! Security researchers need to organize!

I have no idea what I’m talking about but my guess would be that the security economics of finding an RCE make it very valuable. The disclosure would be worth considerably more to Slack than this bounty. Something in the order of months’ worth of skilled labour, not hours.

I suppose the economics also mean Slack only have to outpay the bad guys, so this is really showing us poorly compensated black hat labor is?

[user5994461]

How would you even monetize that? This requires an existing employee access to be able to post a message to the company slack and hope other employees click it.

The vulnerability could do great to pown a company as long as you already have a compromised user account in the company. That's not a wormable RCE, that's not zero click (I'm not saying it's not bad).

Is there a market for high touch highly targeted attacks, maybe, if you can enter in business with the NSA or a ransomware group, those few who can monetize this sort of things. Good luck.

[belltaco]

A lot of companies give external folks access to their Slack to communicate. Plus there are a lot of communities that use Slack among pseudo-anonymous users. For example Reddit employees including the CEO use Slack with several hundred community moderators. An RCE on their computers would be a huge deal.

[brendawalsh]

Twitter was vulnerable because of a social engineering attack via their Slack, so definitely possible to get access to post a message.

[sneak]

They have; you may have heard of ransomware. :)

[jcims]

>$1750 for that?! Security researchers need to organize!

https://hackerone.com/slack?type=team

It says right on the tin what the payout is going to be. If you don't like the terms of the program, don't participate. It's not really that difficult a concept.

[slimsag]

Had the researchers (unethically) published it as a zero-day vulnerability in e.g. a blog post stating "the slack payout wasn't enough for us to care" - what would've been their legal risks?

I assume that would be _one_ way to get companies to care more about rewarding people who spend substantial amounts of time researching their security

[jcims]

Finding and disclosing vulnerabilities predates bug bounties by a long stretch. Bug bounties are simply an incentive for people to follow a scope and disclosure policy through a legal safe harbor and small financial incentive, but they aren't always effective at that. Folks that operate outside of the bounty program don't have that safe harbor and are likely exposed to the full force of whatever domestic 'hacking' laws exist on the books. In the US this has resulted in jail time and fines.

If someone doesn't like the terms of a particular bug bounty program, I would ask why they are doing research against that company to begin with. That's like someone really wanting kids dating a person that doesn't want kids and hoping they will change their mind after they see how awesome it will be. Almost without exception, if you read the comments from the individuals reporting the bugs, they will actually defend the status quo (as is the case here if you dig around). It's mostly just loud people in the vicinity of this trying to drive up the market.

Of course in my example I could try to incentivize said partner to have children by all sorts of unethical means, and there are certainly ways for researchers to try to incentivize corporations to increase bounty scope or payout by unethical means. This is generally considered 'extortion'.

Lastly I think it's also important to point out that legality has nothing to do with ethics, and I certainly believe there are cases where disclosure is warranted outside of any established paradigm of 'responsible disclosure' or bounty program.

[WrtCdEvrydy]

A friend of mine swears that you can be sued for 'business damages' over improper disclosure. Sadly, the US is a non-permissive environment so I tend to believe it.

[tptacek]

I think that friend of yours is almost certainly wrong, and for decades now there have been notable researchers who disclose publicly and immediately.

[IncRnd]

In many cases that is correct, but in practice this will never happen.

[gorgoiler]

I mean I certainly aren’t smart enough to complete a bounty half as big a deal as this, and I could certainly use a month’s rent in cash.

My point was about the wider security economy. It feels like Slack are low balling for work which they have a moral duty (er, moral in the sense that spectres haunt Europe) to pay something more like a living / minimum wage for hackers.

[stevenjohns]

Your link seems to indicate that this falls into the "$5000 and up" category.

[jcims]

Sorry, sent the wrong link - https://hackerone.com/slack/bounty_table_versions?type=team&...