Some Insights on Slack’s Bug Bounty and etc.

This blog post aims to make people aware of substandard practices going within Slack’s Bug Bounty Program at HackerOne and some other security things.

Slack is a chat tool or in their own words — Slack is team communication for the 21st century.

Past week, there was a good amount of media coverage about Slack, as hackers breached their database and stole some information about their users. What baffled people from the information security community was the fact that Slack had already been running a successful bounty program that helped them fix over three hundred security bugs in their various products ranging from web to mobile applications, still it was hacked.

Rahul Sasi, a notable security professional showing concerns about their bounty program and recent hack

As people started to dig deeper into this episode, some of them ended up reading a blog post written by Anshuman Bhartiya titled — A little note about Slack’s Bug Bounty program. The post contains his pathetic experiences and ill-treatment with Slack’s security team that handles their bounty program at HackerOne.

OSVDB tweeting Anshuman’s post after Slack was breached

Now coming back to the agenda of this post, I’ll discuss my experiences with Slack’s bug bounty program — How it became one of my favourite bounty programs at one time and then rapidly degraded their behaviour.

I started participating in their bounty program back in early 2014, as soon as the program went live on HackerOne. As a part of that, I submitted them bugs that led me to 2nd position on their leaderboard.

In the starting of their program, they were amazing. Most of the bugs I submitted were fixed in less than 24 hours and bounty was paid. This was the time that made me glued to Slack’s bounty program, in course of one month or so I had submitted them many bugs and their response time was still the same, it was remarkable, specifically for a new bounty program. My sincere thanks to Cal Henderson, who responded to my bug tickets at that time.

Later on, I submitted another bug to Slack, which they didn’t manage to reproduce,then things started to rot, I asked if they needed any additional help in reproducing the bug or interested in providing some update, to which they started to avoid me, as I saw them rewarding other people but they didn’t reply to my ticket even after my repeated requests to give an update, later on I left a message on that ticket about their ugly behaviour on which I had heated conversations with Cal, later. After the conversation with Cal, I assumed things were normal and submitted a two more bugs.

First bug was low severity bug which didn’t need any urgent treatment, it was triaged immediately and fixed after 2 months without any update in the meanwhile. Then comes the second bug (#27945), it was a low/medium severity issue which I submitted 7 months ago they triaged and then what happened was utterly embarrassing. In past 6 months I made 6 attempts to get an update on that ticket but to their ego, I didn’t get a reply back. This will piss off anybody, I am not an exception to this. In the meanwhile they continue to respond to others, reward etc. Anyone having an experience with disclosures will understand what 6 months without an update/follow-up means even after repeated attempts.What baffled me again was the fact, the bug which I had submitted in the ticket was patched, however in HackerOne, the bug is still left in triaged state by the ignorant team.

I even wrote a lengthy email to HackerOne support complaining about Slack and a few other programs, to which they hardly did anything, specially in case of Slack. I believe they don’t have much authority to the programs they run apart from managing the website.

In the meanwhile, I was seriously pissed with Slack and so were a few others :

Aditya Gupta, a mobile security guy tweeting about Slack’s response

Then there’s a news about the same on Forbes titled — Slack’s Privacy Fail Exposes Tech Giants’ (Mostly Boring) Working Groups

Will Oremus on Slack’s privacy flaw

Now what Slack is doing is pretty much evident, how they went from awesome to disgusting in terms of product security handling.

After their recent hack they implemented 2FA which was flawed, as pointed out on Twitter.

I’d recommend everyone out there to learn a lesson from Slack and manage their bounty program well, so that bugs are identified and killed quickly. Actively responding to bug submitters always help and is definitely an encouraging behaviour. I hope Slack’s bounty program will do well in future and there-by wish that they will improve their security practices as well instead of saying endless sorries.