|
|
|
|
|
|
by Wowfunhappy
2116 days ago
|
|
|
> Slack isn't entitled to that work. Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked. I don’t disagree with your other points but I don’t think selling an exploit on the black market is the right solution. Perhaps the best compromise, as I think about it, is to just make the exploit public with no prior warning to the vendor. That’s not great for users either, but at least they’re informed, and the vendor will be left scrambling. But in that case, the researcher gets paid nothing at all. |
|
|
This is true, but the responsibility to protect these users is ultimately on Slack, not the researcher. If Slack's bounties are nowhere near competitive with black market prices, they are failing to protect their users and should be called out on it.