Stingy Slack Paid Researcher $US1,750 ($2,375) for Finding ‘Critical’ Bug

Stingy Slack Paid Researcher $US1,750 ($2,375) for Finding ‘Critical’ Bug
A security researcher found a critical bug that would have let attackers hijack a person's computer when using Slack. His reward? $US1,750 ($2,375). (Photo: Drew Angerer, Getty Images)

At times, we’ve come to you with stories about security researchers being paid thousands — and in some cases hundreds of thousands — of dollars by companies for finding critical bugs in well-known software or hardware. However, this time, the story is different. It’s about a company that was stingy, and that’s not cool.

Microsoft’s Doing the Monopoly Thing Again, Slack Says

Workplace messaging software company Slack is accusing Microsoft of monopoly behaviour in an antitrust complaint filed today to European Union regulators. Unsurprisingly, the accusations hinge on the same practice that helped make Microsoft rich in the first place.

Read more

According to Mashable and Bleeping Computer, Slack paid security researcher Oskars Vegeris $US1,750 ($2,375) for finding and reporting a bug that would have allowed hackers to hijack a person’s computer. To do this, all a hacker needed to do was upload a file and share it with another Slack user or channel on the app’s desktop version.

“With any in-app redirect – logic/open redirect, HTML or Javascript injection it’s possible to execute arbitrary code within Slack desktop apps,” Vegeris, who is also a security engineer at Evolution Gaming, wrote in a HackerOne report. “This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE Javascript payload.”

Vegeris initially reported the problem to Slack in January, although the HackerOne report was just made public this past week. In the report, Vegeris said that the bug could give attackers “access to private files, private keys, passwords, secrets, internal network access, etc.,” and “access to private conversations, files etc. within Slack,” among others.

Considering the potential havoc that could have been caused had any of the above happened — let’s remember that Slack has at least 12 million daily active users — $US1,750 ($2,375) seems kind of… cheap. Add that to the fact that Slack published a blog about the bug and didn’t credit Vegeris’ work (although it apologised profusely, and apparently sincerely, afterwards) and it just seems like this researcher’s work was undervalued all around.

Some members of the security community also thought so and sharply criticised the company on Twitter.

“For all that effort, they got awarded $US1750 ($2,375),” wrote Daniel Cuthbert, co-author of the OWASP Application Security Verification Standard. “@SlackHQ firstly the flaws are a rather large concern, I mean validation is hard but come on, then pay properly, please. Because this would be worth much more on”

The critiques are not without foundation. Finding bugs is hard work that often involves of lot of learning, effort and time. It’s also very competitive, which means that there’s always a risk another researcher could find the bug you’ve been looking into and report it first.

In a statement to Mashable, Slack said its bug bounty program was critical to keeping its app safe. It also added that it had implemented an initial fixed for the bug found by Vegeris in February.

“We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognising their work and creating value for our customers,” Slack said.

Bottom line, being stingy on critical issues like these is more serious than it sounds. As pointed out by members of the security community, selling a bug like this on the black market could have brought in a lot more money. If companies want to ensure their products are safe, they need to reward good behaviour and hard work consistently.