Slack, popular workplace communication and collaboration platform, has fixed a critical vulnerability that could have allowed hackers to gain access to users’ computers. The vulnerability was reported by a third-party security researcher through HackerOne bug bounty programme.
According to the researcher, the exploit could have allowed hackers to run a “remote code execution.” This would have given them access to users’ “private files, private keys, passwords, secrets, internal network access etc.” as well as private conversations and files within the platform.
Interestingly, Slack has paid the researcher a mere $1,750 for reporting the bug. Many researchers have criticised Slack for giving such little money for reporting such a critical bug. Some also pointed out that the researcher could have made more money by selling the data to another company.
Should the government demand companies pay more in bug bounties? Slack, a $20,000,000,000 company paid $1750 for an RCE as part of their bug bounty program.If the researcher sold it to a private company he would have made tens of thousands of dollars.
For all that effort, they got awarded $1750 Seventeen Hundred and FIFTY bucks. @SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on https://t.co/cqxDDdazqH
“Our bug bounty program is critical to keeping Slack safe. We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers,” a company spokesperson told Mashable.
World news – US – Slack paid a mere $1,750 reward to the researcher who reported a critical vulnerability