undefined | Better HN

0 pointsWowfunhappy5y ago0 comments

So, what is the right thing to do if you find a vulnerability in Slack?

0 comments

There are western vulnerability brokers that sell advance warning of exploits to clients like large corporations and governments so they can protect themselves, then presumably handle notifying the company in question so the bug can get fixed. Of course, one problem is that their clients are free to abuse the exploits, and another problem is there's no guarantee they'll make sure the exploits get fixed... but that's certainly an option for you if you aren't comfortable using HackerOne.

Another option is to just disclose it to the public a set number of days after notifying them, like Project Zero.

albntomat05y ago

I think the key thing is that there's a wide range in the amount of effort someone will put into looking for bugs/exploits, guided by a number of factors, like how fun the bug is to work on, the monetary reward, and any prestige from being the one to find it.

If an obvious vuln appears, obviously report it. But, these reports require a lot of work. It'd also be perfectly ok if the researcher reported whatever obscure behaviour they found initially, and went to go look at other targets with better bounties, played with their dog, etc.

kevin_b_er5y ago

Open disclosure on day 0 it would seem.

Voliokis5y ago

This might be unpopular, but if you don't feel like the compensation adequately reflects your effort, then you're free to do whatever you think is fair. It's your work. Slack isn't entitled to that work. Ideally, you'd check beforehand what a bug bounty program usually pays out and then decide whether to work on some other company's product that pays better. But you're always going to have people who are interested in doing this stuff and you're always going to have people who will look for the best pay-out for the work they've done.

The problem with starting with the baseline of "the right thing to do is always to disclose the vulnerability to Slack regardless of how little they pay" is that it perpetuates the exploitation of legitimate and important work by skilled workers. The onus should be on Slack to provide fair compensation, not on people doing this important work to "do it out of the good of their hearts".

Slack as a company had a revenue of $401 million last year and the average payout in their bug bounty program is $1376 (https://github.blog/2018-03-14-four-years-of-bug-bounty/). That's just disgusting.

WowfunhappyOP5y ago

> Slack isn't entitled to that work.

Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked. I don’t disagree with your other points but I don’t think selling an exploit on the black market is the right solution.

Perhaps the best compromise, as I think about it, is to just make the exploit public with no prior warning to the vendor. That’s not great for users either, but at least they’re informed, and the vendor will be left scrambling. But in that case, the researcher gets paid nothing at all.

tjbecker5y ago

> Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked.

This is true, but the responsibility to protect these users is ultimately on Slack, not the researcher. If Slack's bounties are nowhere near competitive with black market prices, they are failing to protect their users and should be called out on it.

panpanna5y ago

> whatever you think is fair

Please give us some examples of what you would consider fair in this situation.

tpxl5y ago

Hours worked for the exploit * 50$ should be enough.

3 more replies

j / k navigate · click thread line to collapse