[panpanna]

> They can be when they try to live off of bug bounties alone.

I think that's the problem. You shouldn't be entirely dependent on bounty money, because sooner or later you will find a bug that is worth 10x or 1000x on the black market.

I have seen white hat bounty hunters go rouge in such situations and entirely blame it on the cheap ass companies that won't offer the "right" amount.

Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus.

[albntomat0]

> Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus.

That's missing a key point of the bounty system. Slack and its users are better off that this bug was 1: discovered and 2: responsibly reported. The bounty increases the number of eyes looking, but also incentivizes folks to look into weird crashes or fight through the drudgery of triaging odd behavior.

The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.

[jcims]

> The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.

Most directly it shows how they value a bug bounty program. There are companies that spend hundreds of millions of dollars per year and have thousands of people in their infosec program that don’t have bug bounty programs.

You can extrapolate that to how they value security but that’s not necessarily directly correlated.

[albntomat0]

>There are companies that spend hundreds of millions of dollars per year and have thousands of people in their infosec program that don’t have bug bounty programs.

Such as?

[jcims]

Large banks in the US.

[jcims]

Totally agree with you. I’m waiting for this to start going the way of Uber.