I doubt anybody capable of finding an exploit like this is in that situation
lack of opportunity, lack of skills and lack of work ethic. As in it's easy to do, no barrier to entry and always availble.
Most crimes don't actually pay very well and have poor return if you've got any sort of marketable skills. Armed robbery of a bank will get you on average $1200 and 15-20 years.
But pretending software development isn't a well paying career path, in general, is a statistically incorrect statement
No. Most software that is actually used, is not made 'for free'.
Yet the vast amount of hacks or attempts typically originate from China or North Korea...
There are a lot of young folks that try to make this their full time job after some success, then get into a dry spell. The panic robs them of the lateral thinking that brought them to the dance to begin with, and they get into spirals of ravenously hunting simple bugs that end up as dupes and out of scope.
I think that's the problem. You shouldn't be entirely dependent on bounty money, because sooner or later you will find a bug that is worth 10x or 1000x on the black market.
I have seen white hat bounty hunters go rouge in such situations and entirely blame it on the cheap ass companies that won't offer the "right" amount.
Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus.
That's missing a key point of the bounty system. Slack and its users are better off that this bug was 1: discovered and 2: responsibly reported. The bounty increases the number of eyes looking, but also incentivizes folks to look into weird crashes or fight through the drudgery of triaging odd behavior.
The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.
