[Voliokis]

Unfortunately, we live in a world governed by money as a motivator. While you might not be in it for the money, many people are, to a certain degree (you know, to make a living and to be able to afford a decent life). If companies are unwilling to pay anything remotely close to what researchers' time is worth, then they shouldn't wonder when people prefer to sell the exploits that they find to those who do value their work appropriately.

And frankly, we shouldn't be giving companies a pass for being cheap because "reporting it responsibly" is the right thing to do. These companies are benefiting to a great degree by offloading vital security research onto unaffiliated and unknown third-parties. Your time, as well as the time of any other hacker or researcher, is valuable and needs to be compensated. I don't see why it's fair to any of us that we should have to work for free or for low pay-outs just because we might be doing the right thing. Same goes for any other career that is badly paid just because "they're helping people".

[oskarsv]

I agree with you. It's super low, but I and others will just ignore it in the future and ultimately they lose.

However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.

I consider bug bounties like competitions. The 'prize money' is defined beforehand. You don't have to compete if you don't want it. You can also compete for the 'notoriety'. Knowing the stakes, do you complain after getting 'first place'?

Everything you own or do is only worth as much as someone is willing to pay for it, everything else is just speculation.

[fancythat]

In my country there is a sort of obligation to get 10% of value in case you find something valuable but is more applied to found money. Many times people just return what they have found without taking any reward. This could be extrapolated to bug bounties as well. How much would Slack or its clients potentially loose, if this bug was exploited? I think that everybody could agree on some sum, lets say 200k USD. In that case 20k should be paid.

Another approach is to take invoice for last security audit and simply pay the whole amount of that invoice to the researcher. If none was ever done (good God!), just some usual quote for pen testing the targeted application could be applied.

HackerOne could also enforce minimum payouts per exploit category.

[hashkb]

What you do, though, is objectively more valuable to Slack than you were paid. They have reframed security as the competition you mention, but the stakes are much higher and they're sidestepping with this issue of "responsible reporting".

[chrisseaton]

> What you do, though, is objectively more valuable to Slack than you were paid.

This is a meaningless statement.

Obviously all work is more valuable to the company than what they pay you to do the work... otherwise they wouldn't pay you would they? Because they'd get nothing out of it.

If your work generates £5 for a company, then why would they pay you £5 or £6 for it? What's in it for them?

[weswpg]

Obviously the point is that the gap between how much the person deserves and how much they're paid is particularly significant in this case

[IncRnd]

Payments from a company are subjective not objective. There is a single purchaser, in this case Slack, and the researcher already said that he wouldn't engage in unethical behaviour to make more money. Just sell the vulnerability to Slack, and be done with it.

Business owners of failing businesses, when they go to sell, many times think, "I've put in a million hours for this, so I need a million dollars." But, that will never happen.

[Voliokis]

> However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.

Shouldn't people like you be able to do this for a living if you want to? It's valuable work. It has real market value. It seems like you're doing this for fun and genuine interest and I do admire that. Maybe you don't want to taint your motivation with the idea of "how much money can I get for this?" I get that too. But as an outsider, I see this low pay-out and I see exploitation under the guise of "doing the right thing". I genuinely want you to be paid more. You deserve it.

I feel like the only way this kind of thing will change is if people are more vocal about how inappropriate the low compensation is for a company like Slack. Public criticism is necessary and, unfortunately, the only tool we have nowadays to effect change. I understand if this isn't a hill you want to die on, but I hope that other people (particularly people who aren't in bug hunting) are willing to pressure Slack to reconsider its policies.

The problem with "others will ignore it in the future and ultimately they lose" is that it's a passive signal that is too easily overlooked and ignored. It never reaches anybody with any kind of influence who can make changes. If a big exploit happens and somebody does a root cause analysis, it's never going to lead to the conclusion that "well, it's because we haven't been paying enough in our bug bounty program, we need to change that", if only because there's no data about how many people passed on helping them out because of the low payouts.

[oskarsv]

Yes they should and I think I could. This exploit was more of a fun challenge.

I support and agree to everything you are saying. I love the community response. I too loathe the bug bounty asymmetry in power between corporations and reporters, but it exists.. by design. How do you imagine a researcher can 'demand' more money in this situation? They can choose the amounts arbitrarily and there is nothing legal or ethical you can do about it.

I haven't seen any proposals for real solutions - how would you ask this? How do you decide the amount for each company? Solutions, which do not bypass ethics or laws. I hope that 'the market' will solve this eventually and I think I at least raised awareness.

[panpanna]

How much time did you spend on this?

Would you have done without excepting any rewards, i.e. just for fun?

[oskarsv]

Context matters. In this case it was a challenge because of previous research and I would've done it just for fun and the experience. I'm lucky I can afford to do that. Doesn't mean I don't value compensation.

In other cases maybe yes, maybe no - for some nonprofit, maybe someone needs help? are they a business and can they afford to compensate this kind of work? maybe it is some prominent product? there is no simple answer

[tptacek]

Vulnerability researchers with track records make more than software developers do. This whole thread is pretty weird.

[Wowfunhappy]

So, what is the right thing to do if you find a vulnerability in Slack?

[kevingadd]

There are western vulnerability brokers that sell advance warning of exploits to clients like large corporations and governments so they can protect themselves, then presumably handle notifying the company in question so the bug can get fixed. Of course, one problem is that their clients are free to abuse the exploits, and another problem is there's no guarantee they'll make sure the exploits get fixed... but that's certainly an option for you if you aren't comfortable using HackerOne.

Another option is to just disclose it to the public a set number of days after notifying them, like Project Zero.

[albntomat0]

I think the key thing is that there's a wide range in the amount of effort someone will put into looking for bugs/exploits, guided by a number of factors, like how fun the bug is to work on, the monetary reward, and any prestige from being the one to find it.

If an obvious vuln appears, obviously report it. But, these reports require a lot of work. It'd also be perfectly ok if the researcher reported whatever obscure behaviour they found initially, and went to go look at other targets with better bounties, played with their dog, etc.

[kevin_b_er]

Open disclosure on day 0 it would seem.

[Voliokis]

This might be unpopular, but if you don't feel like the compensation adequately reflects your effort, then you're free to do whatever you think is fair. It's your work. Slack isn't entitled to that work. Ideally, you'd check beforehand what a bug bounty program usually pays out and then decide whether to work on some other company's product that pays better. But you're always going to have people who are interested in doing this stuff and you're always going to have people who will look for the best pay-out for the work they've done.

The problem with starting with the baseline of "the right thing to do is always to disclose the vulnerability to Slack regardless of how little they pay" is that it perpetuates the exploitation of legitimate and important work by skilled workers. The onus should be on Slack to provide fair compensation, not on people doing this important work to "do it out of the good of their hearts".

Slack as a company had a revenue of $401 million last year and the average payout in their bug bounty program is $1376 (https://github.blog/2018-03-14-four-years-of-bug-bounty/). That's just disgusting.

[Wowfunhappy]

> Slack isn't entitled to that work.

Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked. I don’t disagree with your other points but I don’t think selling an exploit on the black market is the right solution.

Perhaps the best compromise, as I think about it, is to just make the exploit public with no prior warning to the vendor. That’s not great for users either, but at least they’re informed, and the vendor will be left scrambling. But in that case, the researcher gets paid nothing at all.

[tjbecker]

> Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked.

This is true, but the responsibility to protect these users is ultimately on Slack, not the researcher. If Slack's bounties are nowhere near competitive with black market prices, they are failing to protect their users and should be called out on it.

[panpanna]

> whatever you think is fair

Please give us some examples of what you would consider fair in this situation.

[tpxl]

Hours worked for the exploit * 50$ should be enough.

[bawolff]

That's silly.

If someone spends 100 hours coming up with, say a clickjacking vuln, it does not magically make it worth $5000. If someone spends 6 minutes coming up with zero-click sandbox bypass in chrome, its not just worth $5.

Severity matters not time, especially in a bug bounty. If you want the stability (and assurance) of actually getting paid reasonsbly and consistently for this you should get a job as a pentester.

[rubber_duck]

That's kind bad - first of all 50$ can be really low depending on the region, but more importantly this disregards the time spend on looking for exploits that don't pan out.

So I would multiply that 50$ by at least 4.

But still like the other said bugs should pay by severity not by time spent.

[IncRnd]

The researcher would probably get paid even less, if that is the case.

The value of an exploit has nothing to do with the development time.