Public Slack bug reports.

Team Bounty Title
Slack $850 Bypass to postMessage origin validation via FTP
Slack $3,000 Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
Slack $1,000 Access of Android protected components via embedded intent
Slack $200 dom xss in
Slack $100 Subdomain takeover on
Slack $500 Store XSS
Slack $1,000 Eavesdropping on private Slack calls
Slack $700 Information Disclosure on
Slack $500 CSRF in github integration
Slack $400 Email information leakage for certain addresses
Slack $500 Rate-limit bypass
Slack $2,500 Snooping into messages via email service
Slack $750 Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation
Slack $1,000 Stored XSS(Cross Site Scripting) In Slack App Name
Slack $500 CSRF - Add optional two factor mobile number
Slack $500 Creating Post on a restricted channel
Slack $500 a stored xss issue in
Slack $500 "a stored xss issue in share post menu"
Slack $1,500 Source code leakage through GIT web access at host ''
Slack $100 Generate new Test token
Slack $100 User can start call in a channel of an unpaid account
Slack - Unauthenticated Access to some old file thumbnails
Slack $500 File upload over private IM channel
Slack $200 [Screenhero] Subdomain takeover
Slack $500 Open Redirect on
Slack $1,000 Stored XSS on using new Markdown editor of posts inside the Editing mode and using javascript-URIs
Slack $2,000 Authentication bypass leads to sensitive data exposure (token+secret)
Slack $100 an xss issue in
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Slack - Executing scripts on using SVG
Slack $100 RC4 cipher suites detected on
Slack $100 Reflected Self-XSS in Slack
Slack $200 File upload XSS (Java applet) on
Slack $500 Stored XSS in Slack (weird, trial and error)
Slack $100 Self-XSS in posts by formatting text as code
Slack $1,000 OSX slack:// protocol handler javascript injection
Slack - Link vulnerability leads to phishing attacks
Slack $100 Bypass of the SSRF protection (Slack commands, Phabricator integration)
Slack $100 Logout any user of same team
Slack $200 Team admin can add billing contacts
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Slack $500 a stored xss in slack integration
Slack - HTTP Strict Transport Policy not enabled on newly made accounts
Slack $200 Content Spoofing all Integrations in
Slack $100 Content spoofing at Stripe Integrations
Slack $100 Password Policy issue (Weak Protect)
Slack $100 Open Redirect login account
Slack $300 SSRF on
Slack - Remote file Inclusion - RFI in upload
Slack $500 Stored XSS in (integrations)
Slack $500 Stored XSS Found
Slack - open redirect in
Slack $500 Facebook Takeover using Slack using 302 from with access_token
Slack $300 Stored XSS in
Slack - TLS1/SSLv3 Renegotiation Vulnerability
Slack $500 Duplicate of #4550
Slack $500 Stored XSS in Slackbot Direct Messages
Slack - Open Redirect in Slack
Slack - User impersonation is possible with incoming webhooks
Slack $500 flash content type sniff vulnerability in
Slack - Content Spoofing
Slack - Deleting Teams implemenation
Slack - Stored XSS
Slack $500 Reflected Xss
Slack - Email enumeration
Slack - Data exports stored on S3 can be scraped easily
Slack - Open redirect vulnerability
Slack - State parameter missing on google OAuth
Slack $500 Stored XSS in Channel Chat
Slack - Stored XSS on this link
Slack - CSRF on add comment section
Slack - csrf
Slack $100 CSRF vulnerability on
Slack $500 Stored XSS in
Slack $200 URL redirection flaw
Slack $200 Stored XSS in
Slack - Session Fixation disclosing email address
Slack $100 Slack OAuth2 "redirect_uri" Bypass
Slack $100 Broken Authentication (including Slack OAuth bugs)
Slack $150 Reflective XSS can be triggered in IE