Slack has fixed a “critical” vulnerability in its desktop app that could have posed a significant threat for users of the messaging service. A security researcher identified the bug, posted it through a bug bounty platform, and was compensated for his efforts. But members of the security community are arguing that the fee paid by Slack wasn’t nearly enough.
In the current age of remote working, more people are relying on team collaboration tools and Slack is one of the top services in the category. A security vulnerability in the service’s desktop app, which is now fixed, could have caused major problems. In the wrong hands, the exploit would have allowed remote code execution, making it possible for a hacker to access passwords, internal network access, and files.
What’s more, it was possible to make the attack “wormable,” allowing it to be passed on from one account to a whole group of users, thereby compromising an entire Slack team. It’s clear that a huge amount of sensitive information could have been maliciously captured using the security exploit.
The vulnerability wasn’t identified by Slack’s security team, however. An independent security researcher notified Slack via bug bounty platform HackerOne earlier this year. For his efforts, the researcher was awarded a fee of $1,750. However, as Mashable explains, many members of the security community feel that this wasn’t enough.
A spokesperson for Slack responded to these comments, explaining: “We deeply value the contributions of the security and developer communities, and we will continue to review our payout scale to ensure that we are recognizing their work and creating value for our customers.” The spokesperson added that an initial fix for this exploit was implemented in February.
Slack now does appear to be offering higher payouts for significant exploits such as this — an important move, as a less noble researcher could have sold this “critical” vulnerability to a malicious buyer. Thankfully, that wasn’t the case this time.