Public
Slack
bug reports.
4,419
Bug Reports -
$2,030,173
Paid Out
Last Updated:
12th September, 2017
Team
Bounty
Title
Slack
$850
Bypass to postMessage origin validation via FTP
Slack
$3,000
Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
Slack
$1,000
Access of Android protected components via embedded intent
Slack
$200
dom xss in https://www.slackatwork.com
Slack
$100
Subdomain takeover on podcasts.slack-core.com
Slack
$500
Store XSS
Slack
$1,000
Eavesdropping on private Slack calls
Slack
$700
Information Disclosure on stun.screenhero.com
Slack
$500
CSRF in github integration
Slack
$400
Email information leakage for certain addresses
Slack
$500
Rate-limit bypass
Slack
$2,500
Snooping into messages via email service
Slack
$750
Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation
Slack
$1,000
Stored XSS(Cross Site Scripting) In Slack App Name
Slack
$500
CSRF - Add optional two factor mobile number
Slack
$500
Creating Post on a restricted channel
Slack
$500
a stored xss issue in https://files.slack.com
Slack
$500
"a stored xss issue in share post menu"
Slack
$1,500
Source code leakage through GIT web access at host '52.91.137.42'
Slack
$100
Generate new Test token
Slack
$100
User can start call in a channel of an unpaid account
Slack
-
Unauthenticated Access to some old file thumbnails
Slack
$500
File upload over private IM channel
Slack
$200
[Screenhero] Subdomain takeover
Slack
$500
Open Redirect on slack.com
Slack
$1,000
Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs
Slack
$2,000
Authentication bypass leads to sensitive data exposure (token+secret)
Slack
$100
an xss issue in https://hunter22.slack.com/help/requests/793043
Slack
$1,000
Trick make all fixed open redirect links vulnerable again
Slack
-
Executing scripts on slack-files.com using SVG
Slack
$100
RC4 cipher suites detected on status.slack.com
Slack
$100
Reflected Self-XSS in Slack
Slack
$200
File upload XSS (Java applet) on http://slackatwork.com/
Slack
$500
Stored XSS in Slack (weird, trial and error)
Slack
$100
Self-XSS in posts by formatting text as code
Slack
$1,000
OSX slack:// protocol handler javascript injection
Slack
-
Link vulnerability leads to phishing attacks
Slack
$100
Bypass of the SSRF protection (Slack commands, Phabricator integration)
Slack
$100
Logout any user of same team
Slack
$200
Team admin can add billing contacts
Slack
$100
Team admin can change unauthorized team setting (allow_message_deletion)
Slack
$200
Team admin can change unauthorized team setting (require_at_for_mention)
Slack
$500
a stored xss in slack integration https://onerror.slack.com/services/import
Slack
-
HTTP Strict Transport Policy not enabled on newly made accounts
Slack
$200
Content Spoofing all Integrations in https://team.slack.com/services/new/
Slack
$100
Content spoofing at Stripe Integrations
Slack
$100
Password Policy issue (Weak Protect)
Slack
$100
Open Redirect login account
Slack
$300
SSRF on https://whitehataudit.slack.com/account/photo
Slack
-
Remote file Inclusion - RFI in upload
Slack
$500
Stored XSS in slack.com (integrations)
Slack
$500
Stored XSS Found
Slack
-
open redirect in https://slack.com
Slack
$500
Facebook Takeover using Slack using 302 from files.slack.com with access_token
Slack
$300
Stored XSS in Slack.com
Slack
-
TLS1/SSLv3 Renegotiation Vulnerability
Slack
$500
Duplicate of #4550
Slack
$500
Stored XSS in Slackbot Direct Messages
Slack
-
Open Redirect in Slack
Slack
-
User impersonation is possible with incoming webhooks
Slack
$500
flash content type sniff vulnerability in api.slack.com
Slack
-
Content Spoofing
Slack
-
Deleting Teams implemenation
Slack
-
Stored XSS
Slack
$500
Reflected Xss
Slack
-
Email enumeration
Slack
-
Data exports stored on S3 can be scraped easily
Slack
-
Open redirect vulnerability
Slack
-
State parameter missing on google OAuth
Slack
$500
Stored XSS in Channel Chat
Slack
-
Stored XSS on this link https://sehacure.slack.com/help/requests/
Slack
-
CSRF on add comment section
Slack
-
csrf
Slack
$100
CSRF vulnerability on https://sehacure.slack.com/account/settings
Slack
$500
Stored XSS in username.slack.com
Slack
$200
URL redirection flaw
Slack
$200
Stored XSS in www.slack-files.com
Slack
-
Session Fixation disclosing email address
Slack
$100
Slack OAuth2 "redirect_uri" Bypass
Slack
$100
Broken Authentication (including Slack OAuth bugs)
Slack
$150
Reflective XSS can be triggered in IE