Slack paid a mere $1,750 reward to the researcher who reported a critical vulnerability
Slack’s bug could have allowed hackers to gain control of its millions of users through remote code execution. The company has already implemented a fix.
Slack, popular workplace communication and collaboration platform, has fixed a critical vulnerability that could have allowed hackers to gain access to users’ computers. The vulnerability was reported by a third-party security researcher through HackerOne bug bounty programme.
According to the researcher, the exploit could have allowed hackers to run a “remote code execution.” This would have given them access to users’ “private files, private keys, passwords, secrets, internal network access etc.” as well as private conversations and files within the platform.
Interestingly, Slack has paid the researcher a mere $1,750 for reporting the bug. Many researchers have criticised Slack for giving such little money for reporting such a critical bug. Some also pointed out that the researcher could have made more money by selling the data to another company.
Should the government demand companies pay more in bug bounties?— Alon Gal (Under the Breach) (@UnderTheBreach) August 29, 2020
Slack, a $20,000,000,000 company paid $1750 for an RCE as part of their bug bounty program.
If the researcher sold it to a private company he would have made tens of thousands of dollars.
For all that effort, they got awarded $1750— Daniel Cuthbert (@dcuthbert) August 29, 2020
Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please.
Because this would be worth much more on https://t.co/cqxDDdazqH
Slack has also responded to the new bug report and amount paid to the hacker.
"Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers,” a company spokesperson told Mashable.
According to the spokesperson, the vulnerability was fixed in February earlier this year.