Slack is committed to treating our customers’ data with the utmost care. As part of this, we encourage security researchers to put our security to the test - and we offer a variety of rewards for doing so. We look forward to continuing to work with the community as we add new features and services.
This page is intended for security researchers. For general information about security at Slack, please see our main website.
Automated testing is not permitted.
Follow HackerOne’s Disclosure Guidelines.
Test only with your own team(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
You must be the first person to report the issue to us. We will review duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.
We award bounties following our triage process, and will keep you posted as we work to verify submissions.
Contacting our support team (firstname.lastname@example.org) about the status of a HackerOne report will result in an immediate disqualification for a bounty for that report.
The following guidelines give you an idea of what we usually pay out for different classes of bugs. Low-quality reports may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue. Step-by-step instructions including how to reproduce your issue starting out by creating a fresh Slack account are preferred. Screenshots and videos are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.
There is no maximum reward - particularly creative or severe bugs will be rewarded accordingly. Depending on the severity of the bug, and the quality of your report, we may pay a lower-tier bug out at a higher level.
|Severity | Critical | High | Medium | Low |
| ------------- | ------------- | ------------- | ------------- | ------------- |
| CVSSv3 | 9.0 - 10.0 | 7.0 - 8.9 | 4.0 - 6.9 | 2.0 - 3.9 |
| Min/Max | $5000 | $2500 | $1000 | $250 |
Mixed content issues
"Tab-Nabbing" or other
Self-XSS (XSS requiring interaction other than browsing to exploit)
Server misconfiguration or provisioning errors
Information leaks or disclosure (excluding customer data)
And other low-severity issues
Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
Broken Authentication affecting a single team
Privilege Escalation affecting a single team
SSRF to an internal service, hosted by slack
Information leaks or disclosure (including customer data)
And other medium-severity issues
Remote Code Execution
Privilege Escalation affecting all teams
Broken Authentication affecting all teams
SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
And other critical-severity issues
Tier-0 bugs only for the following:
Current versions of the official Slack applications for Windows, Mac, Linux, iOS, Android, and Windows Phone
Apps that are maintained by Slack itself (and not 3rd party applications). To identify apps that are in scope for bug bounty, please go to the page for that app (for example, email) and ensure there is no link to "Report this app" under the icon for the application. Please note that apps may differ from Slack production, depending on the impact of an issue.
CSRF: we use a parameter named
crumb for our CSRF tokens in our production application. CSRF reports that include this parameter in the proof of concept will be marked as invalid.
Cookie Scope: the only sensitive cookies in the Slack product reside on
.slack.com and not on other
The following bugs are unlikely to be eligible for a bounty:
screenhero.com (We have sunset the screenhero standalone product and as such are no longer accepting reports for that domain)
Open redirect on slack-redir.net
Issues found through automated testing
"Scanner output" or scanner-generated reports
Publicly-released bugs in internet software within 3 days of their disclosure
"Advisory" or "Informational" reports that do not include any slack-specific testing or context
Vulnerabilities requiring physical access to the victim's unlocked device
Denial of Service attacks
Brute Force attacks
Spam or Social Engineering techniques, including:
SPF and DKIM issues
Hyperlink injection in emails
IDN homograph attacks
Issues relating to Password Policy
Full-Path Disclosure on any property
Version number information disclosure
Third-party applications on the Slack Application directory (identified by the existence of a "Report this app" link on the app's page). Please report issues with these services to the creator of that specific application.
Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
CSRF-able actions that do not require authentication (or a session) to exploit
Reports related to the following security-related headers:
Strict Transport Security (HSTS)
XSS mitigation headers (
Content Security Policy (CSP) settings (excluding
nosniff in an exploitable scenario)
Bugs that do not represent any security risk - these should be reported to email@example.com.
Issues with other domains or applications owned or related to Glitch or Tiny Speck
Security bugs in slackhq.com - this site runs on WordPress, so if you find vulnerabilities in the WordPress service, please see WordPress bounty program for reporting details
Security bugs in third-party applications or services built on the Slack API - please report them to the third party that built the application or service
Security bugs in software related to an acquisition for a period of 90 days following any public announcement
EMM client vulnerabilities in the absence of a valid MDM configuration via a supported MDM provider, (such as MobileIron), on an EMM-enabled Slack team
Submissions from former Slack employees within one year of their departure from Slack
Bugs in Slack’s public GitHub repos besides Tier-0 issues in Nebula. Others should be submitted through GitHub’s Issues mechanism.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
|Scope Type||Scope Name|
This program crawled on the 2014-02-28 is sorted as bounty.