One of the best ways to ward off hackers is to ask for their help. That, and promise to pay them for it.
That’s the thinking behind the bug bounty program at Slack, the popular group-chat platform, which offers a pay-out to people who find and report legitimate security flaws that could be exploited by hackers.
Frans Rosén, a researcher at the web security firm Detectify, described in a recent blog post how he identified a flaw that would have allowed him to steal an individual Slack user’s private token—thus enabling him to log-in as that person.
Rosén submitted a report to Slack, detailing what he’d found, on a Friday evening. He heard back in 33 minutes. In that time, Slack had started the work of determining whether the bug was real (it was) so engineers could begin coordinating a patch. While one group worked fixing the bug, another group of Slack engineers began investigating whether anyone had already exploited the security flaw (they found no evidence of this).
Slack fixed the bug. (“The solution Slack made was a great one,” Rosén said.)
Users accounts remained secure.
And Rosén got $3,000 for his efforts.
This isn’t unusual. Of the thousands of tips Slack has received, more than 500 have been valid bugs. The company has paid more than $200,000 in bug bounties. “This bug is exactly why we invest in our public bug bounty program,” a spokesperson for Slack told me. “Once it was identified by the security researcher, we were able to fix it within five hours and confirm shortly after that it was not exploited in the wild.”