One of the best ways to ward off hackers is to ask for their help. That, and promise to pay them for it.
That’s the thinking behind the bug bounty program at Slack, the popular group-chat platform, which offers a pay-out to people who find and report legitimate security flaws that could be exploited by hackers.
Frans Rosén, a researcher at the web security firm Detectify, described in a recent blog post how he identified a flaw that would have allowed him to steal an individual Slack user’s private token—thus enabling him to log-in as that person.
Rosén submitted a report to Slack, detailing what he’d found, on a Friday evening. He heard back in 33 minutes. In that time, Slack had started the work of determining whether the bug was real (it was) so engineers could begin coordinating a patch. While one group worked fixing the bug, another group of Slack engineers began investigating whether anyone had already exploited the security flaw (they found no evidence of this).
Slack fixed the bug. (“The solution Slack made was a great one,” Rosén said.)
Users accounts remained secure.
And Rosén got $3,000 for his efforts.
This isn’t unusual. Of the thousands of tips Slack has received, more than 500 have been valid bugs. The company has paid more than $200,000 in bug bounties. “This bug is exactly why we invest in our public bug bounty program,” a spokesperson for Slack told me. “Once it was identified by the security researcher, we were able to fix it within five hours and confirm shortly after that it was not exploited in the wild.”
An earlier Slack vulnerability discovered by researchers at Detectify last June had involved the code Slack used for custom bots, which contained tokens—or private credentials tied to individual accounts—and which developers were then copying to GitHub, the collaborative programming site. “In the worst case scenario, these tokens can leak production database credentials, source code, files with passwords, and highly sensitive information,” Detectify wrote at the time. Slack closed that security gap, too.
Bug bounty programs have been around since the early days of the web, but they’ve become more popular in recent years as a way to keep web users safe from “from criminals and jerks,” as Tumblr puts it in a description of its program.
In some cases these programs have resulted in massive payouts. Facebook has paid more than $5 million to some 900 researchers in the past five years. Twitter has paid more than $600,000, according to its page on Hackerone, a site where companies share information about their bug bounties. Google offers rewards of tens of thousands of dollars to hackers who identify vulnerabilities that could result in someone taking over a Google account. United Airlines pays hackers in miles instead of cash. (That program launched after a hacker claimed he’d assumed control of a United flight.)
It was Apple’s lack of a bug bounty program that may have prompted hackers to help the FBI unlock the iPhone that belonged to one of the attackers in the San Bernardino mass shooting in 2015. (Apple announced in August it would finally begin to offer cash bounties for valid bug reports.)
Back at Slack, there’s a sense of urgency about any report of vulnerabilities—whether from within the organization, or from outside researchers, or hobbyists. “Slack works very hard to ensure we don't ship known security flaws,” the Slack spokesperson said, “and the added brainpower of the developer and security communities is invaluable in keeping the service safe for everyone.”
In the meantime, if you’re a Slack user feeling mildly queasy about the thought of your messages being made public, here’s where you can change message-retention settings.