[kamyarg]

I really hope they amend the bounty paid to actually compensate you for the find.

As a slack user, seeing them pay < $2K for RCE report does not make me feel safe. Next person finding something similar might be looking into this and saying "$3K? no thank you, I take the risk of getting caught but being paid fairly."

To be clear I am not advocating for this, but it makes me concerned as a user "some people" will be more likely to do it.

[SXX]

The point is: you don't really need black market or doing anything illegal to being paid fairly for such research. There are plenty of absolutely legal security companies that will pay you 10x for exploit like that and then just gonna sell it to highest bidder (read: all kind of government entities).

And yeah those companies in term work for 3-letter agencies and foreign governments. Of course many would consider selling to them unethical, but that would be absolutely legal.

[albntomat0]

Another likely outcome is that folks aren't going to look at all, or only at a surface level. This leaves low hanging bugs for those with malicious intent to find easily.