[Voliokis]

> However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.

Shouldn't people like you be able to do this for a living if you want to? It's valuable work. It has real market value. It seems like you're doing this for fun and genuine interest and I do admire that. Maybe you don't want to taint your motivation with the idea of "how much money can I get for this?" I get that too. But as an outsider, I see this low pay-out and I see exploitation under the guise of "doing the right thing". I genuinely want you to be paid more. You deserve it.

I feel like the only way this kind of thing will change is if people are more vocal about how inappropriate the low compensation is for a company like Slack. Public criticism is necessary and, unfortunately, the only tool we have nowadays to effect change. I understand if this isn't a hill you want to die on, but I hope that other people (particularly people who aren't in bug hunting) are willing to pressure Slack to reconsider its policies.

The problem with "others will ignore it in the future and ultimately they lose" is that it's a passive signal that is too easily overlooked and ignored. It never reaches anybody with any kind of influence who can make changes. If a big exploit happens and somebody does a root cause analysis, it's never going to lead to the conclusion that "well, it's because we haven't been paying enough in our bug bounty program, we need to change that", if only because there's no data about how many people passed on helping them out because of the low payouts.

[oskarsv]

Yes they should and I think I could. This exploit was more of a fun challenge.

I support and agree to everything you are saying. I love the community response. I too loathe the bug bounty asymmetry in power between corporations and reporters, but it exists.. by design. How do you imagine a researcher can 'demand' more money in this situation? They can choose the amounts arbitrarily and there is nothing legal or ethical you can do about it.

I haven't seen any proposals for real solutions - how would you ask this? How do you decide the amount for each company? Solutions, which do not bypass ethics or laws. I hope that 'the market' will solve this eventually and I think I at least raised awareness.

[panpanna]

How much time did you spend on this?

Would you have done without excepting any rewards, i.e. just for fun?

[oskarsv]

Context matters. In this case it was a challenge because of previous research and I would've done it just for fun and the experience. I'm lucky I can afford to do that. Doesn't mean I don't value compensation.

In other cases maybe yes, maybe no - for some nonprofit, maybe someone needs help? are they a business and can they afford to compensate this kind of work? maybe it is some prominent product? there is no simple answer

[tptacek]

Vulnerability researchers with track records make more than software developers do. This whole thread is pretty weird.