Slack Bug Bounty: Three Years Later

We’ve reached a few big milestones for the Slack Bug Bounty program: it’s our three-year anniversary, and we’ve paid out more than $210,000 in bounties! We want to give a big thank you to all the security researchers who have helped make Slack more secure. In this post we’ll offer a retrospective on our bug…

Overview

The article discusses the three-year anniversary of Slack's Bug Bounty program, highlighting its achievements, lessons learned, and providing guidance for security researchers. It emphasizes the importance of collaboration with researchers to enhance security and shares insights on the program's performance metrics.

What You'll Learn

1

How to effectively manage a bug bounty program to enhance security

2

Why using a third-party triage service can improve response times

3

When to reward researchers for their findings in a bug bounty program

4

How to analyze bug report patterns to improve program efficiency

Key Questions Answered

What are the key milestones of Slack's Bug Bounty program?
Slack's Bug Bounty program has paid out more than $210,000 in bounties and has received nearly 1,000 reports within the first four months of its launch. The program has evolved significantly since its inception in February 2014, becoming integral to Slack's security processes.
How does Slack handle incoming vulnerability reports?
When a researcher submits a vulnerability report, Slack evaluates the report's validity using a third-party triage service. If valid, an internal ticket is filed, the issue is fixed, and the researcher is rewarded for their finding, ensuring a structured process for managing vulnerabilities.
What metrics does Slack track for its Bug Bounty program?
Slack tracks metrics such as the number of inbound reports, mean response times, and total bounties awarded. The current mean response time is less than 24 hours, reflecting the program's efficiency and responsiveness to researchers.
What types of vulnerabilities are researchers encouraged to report?
Researchers are encouraged to report various vulnerabilities, including authentication bypasses, web application flaws, and mobile app issues. Specific areas of interest include the Slack API, web app, desktop app, and mobile apps, each with unique vulnerabilities.

Key Statistics & Figures

Total bounties paid out
$210,000
This figure represents the total amount awarded to researchers over the three years of the program.
Number of reports received in the first four months
nearly 1,000
This includes over half of the reports occurring in the second month after the program's launch.
Current mean response time
less than 24 hours
This reflects the efficiency of Slack's communication with researchers in the bug bounty program.

Technologies & Tools

Platform
Hackerone
Used for managing the bug bounty program and facilitating communication with researchers.

Key Actionable Insights

1
Prepare for an influx of reports when launching a bug bounty program.
Many new programs experience a surge in submissions, which can overwhelm teams. Having adequate resources and processes in place ensures timely responses and maintains program health.
2
Utilize a third-party triage service to manage report evaluations.
This approach allows internal teams to focus on resolving valid issues while efficiently handling the volume of submissions, leading to improved response times and overall program success.
3
Maintain clear communication with researchers throughout the resolution process.
Keeping researchers informed about the status of their reports fosters goodwill and encourages continued participation in the program, which is vital for long-term success.

Common Pitfalls

1
Failing to prepare for a large influx of reports can overwhelm the security team.
Many organizations underestimate the volume of submissions they will receive, which can lead to delayed responses and a negative experience for researchers. It's crucial to allocate sufficient resources and establish a clear workflow before launching.

Related Concepts

Bug Bounty Programs
Vulnerability Management
Security Research