|
|
|
|
|
|
by albntomat0
2115 days ago
|
|
|
> Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus. That's missing a key point of the bounty system. Slack and its users are better off that this bug was 1: discovered and 2: responsibly reported. The bounty increases the number of eyes looking, but also incentivizes folks to look into weird crashes or fight through the drudgery of triaging odd behavior. The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs. |
|
|
Most directly it shows how they value a bug bounty program. There are companies that spend hundreds of millions of dollars per year and have thousands of people in their infosec program that don’t have bug bounty programs.
You can extrapolate that to how they value security but that’s not necessarily directly correlated.