Skip to content

A little note about Slack’s Bug Bounty program

March 16, 2015

I reported a bug to Slack via HackerOne on December 13, 2014. Slack closed it as N/A. Considering it was N/A, I went ahead and blogged about it here on December 18, 2014. I gave them a heads up as well on the submission at HackerOne that I will be disclosing it before I actually disclosed it. They kept radio silence so I assumed they didn’t have any issues. They never said not to disclose or anything like that which would make sense because it was marked as N/A meaning they are not interested in the bug in the first place.

Around the same time or rather a day earlier on December 12, 2014, I had reported another bug to Slack via HackerOne. And, they closed it as Duplicate. The entire submission along with the conversations can be found here. In a nutshell, they wanted to do a coordinated disclosure once the issue was fixed. I was perfectly fine with it. I completely understand and respect the ethics of a bug bounty program and I agreed to that. But, after that, there was complete radio silence. I tried following up multiple times but nobody cared to respond or update me regarding the fix as is evident from the document. I also left a comment (1 month and then 4 days before the disclosure) that if I don’t hear back with any update or anything, I would go ahead and disclose it 90 days after the initial submission. According to industry standards, that seems to be the trend these days so I chose to stick with it. I finally disclosed it here on this blog.

On March 12, 2015, I reported yet another bug to Slack, again via the HackerOne platform. This bug was closed today March 16, 2015 as N/A without any explanation or reasoning. The entire conversation along with the bug submission can be found here. Consider this document as a public disclosure for this bug since it is marked and closed as N/A and they don’t seem to be interested in it anyways.

As evident from the latest bug submission document, I have been told that I have “gone against the spirit of a bug bounty program by disclosing things without consent”. They feel that for the second bug described above, “the disclosure is owned by the original reporter.” and, that “By disclosing this without coordinating” I have stolen “the original reporter’s opportunity to disclose a finding.” They have apparently spoken to HackerOne last week and asked to remove me from participating in their bug bounty program. I was apparently supposed to receive some communication regarding this (which btw I never did).

Final Thoughts:

I am honestly very disappointed with how things have been handled. I personally don’t think I did anything against the spirit of a bug bounty program. I am all for coordinated disclosure but if the program owners fail to coordinate or communicate in a timely manner, there is no such thing called coordinated disclosure. Combined with their responses on all my bug submissions and their decision to ban me from participating in their bug bounty program, this is probably the worst experience I have had so far and I feel this is a perfect example of how not to operate a bug bounty program.

I would love to get some feedback and thoughts on this. I am open to criticism and improving anything that I could have done better from my side to make this less painful.

Advertisements

From → Database

7 Comments
  1. Manav permalink

    Buddy, I totally support you on this matter. Slack fellows operating BB Programme are bunch of lazy a*s. They don’t bother responding even on valid bugs. I think H1 guys are smart enough & I would be more than surprise if they take any action based on communication from slack. I appreciate your time & effort for making the whole case available public.

  2. If Cal Henderson handle this report, it’s possible to resolve this issue.

  3. You shouldn’t have blogged it if they told you it was a duplicate finding that wasn’t already disclosed by the original researcher. That is an awkward situation to be in if you have no way to know who the original researcher was though.

    • noname permalink

      and you also have no way to know if there really was an original researcher or if they just didn’t want to pay the bounty.

      • Well, they could refer to the date of the disclosure of that bug.

        Example of good communication Slack could have used:
        “Hey! Thanks for reporting this issue! Unfortunately someone else beat you to the punch and submitted the following: …. Do you agree that this is the same issue? We’ll be rolling out a fix in May. Expect the disclosure in June. Could you please keep quiet about this until then?”

        I also still have an open vuln on HackerOne that Slack won’t disclose even though they implemented a rudimentary fix that patches the issue. Any comment from me gets ignored because they said that they moved the issue to an internal bug tracking system and ignore HackerOne comments as they have a lot of spammy reports.

        I still think that this is damned disrespectful and harmful to their relationship with pentesters (which are obviously not a group you’d like to piss off).

  4. Sounds like they didn’t want to pay the bounty. lame

  5. buddy permalink

    I really hope Slack will pay for these mistakes! good job these are serious issues

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: