Public Slack bug reports.

Team Bounty Title
Slack $850 Bypass to postMessage origin validation via FTP
Slack $3,000 Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
Slack $1,000 Access of Android protected components via embedded intent
Slack $200 dom xss in https://www.slackatwork.com
Slack $100 Subdomain takeover on podcasts.slack-core.com
Slack $500 Store XSS
Slack $1,000 Eavesdropping on private Slack calls
Slack $700 Information Disclosure on stun.screenhero.com
Slack $500 CSRF in github integration
Slack $400 Email information leakage for certain addresses
Slack $500 Rate-limit bypass
Slack $2,500 Snooping into messages via email service
Slack $750 Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation
Slack $1,000 Stored XSS(Cross Site Scripting) In Slack App Name
Slack $500 CSRF - Add optional two factor mobile number
Slack $500 Creating Post on a restricted channel
Slack $500 a stored xss issue in https://files.slack.com
Slack $500 "a stored xss issue in share post menu"
Slack $1,500 Source code leakage through GIT web access at host '52.91.137.42'
Slack $100 Generate new Test token
Slack $100 User can start call in a channel of an unpaid account
Slack - Unauthenticated Access to some old file thumbnails
Slack $500 File upload over private IM channel
Slack $200 [Screenhero] Subdomain takeover
Slack $500 Open Redirect on slack.com
Slack $1,000 Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs
Slack $2,000 Authentication bypass leads to sensitive data exposure (token+secret)
Slack $100 an xss issue in https://hunter22.slack.com/help/requests/793043
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Slack - Executing scripts on slack-files.com using SVG
Slack $100 RC4 cipher suites detected on status.slack.com
Slack $100 Reflected Self-XSS in Slack
Slack $200 File upload XSS (Java applet) on http://slackatwork.com/
Slack $500 Stored XSS in Slack (weird, trial and error)
Slack $100 Self-XSS in posts by formatting text as code
Slack $1,000 OSX slack:// protocol handler javascript injection
Slack - Link vulnerability leads to phishing attacks
Slack $100 Bypass of the SSRF protection (Slack commands, Phabricator integration)
Slack $100 Logout any user of same team
Slack $200 Team admin can add billing contacts
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Slack $500 a stored xss in slack integration https://onerror.slack.com/services/import
Slack - HTTP Strict Transport Policy not enabled on newly made accounts
Slack $200 Content Spoofing all Integrations in https://team.slack.com/services/new/
Slack $100 Content spoofing at Stripe Integrations
Slack $100 Password Policy issue (Weak Protect)
Slack $100 Open Redirect login account
Slack $300 SSRF on https://whitehataudit.slack.com/account/photo
Slack - Remote file Inclusion - RFI in upload
Slack $500 Stored XSS in slack.com (integrations)
Slack $500 Stored XSS Found
Slack - open redirect in https://slack.com
Slack $500 Facebook Takeover using Slack using 302 from files.slack.com with access_token
Slack $300 Stored XSS in Slack.com
Slack - TLS1/SSLv3 Renegotiation Vulnerability
Slack $500 Duplicate of #4550
Slack $500 Stored XSS in Slackbot Direct Messages
Slack - Open Redirect in Slack
Slack - User impersonation is possible with incoming webhooks
Slack $500 flash content type sniff vulnerability in api.slack.com
Slack - Content Spoofing
Slack - Deleting Teams implemenation
Slack - Stored XSS
Slack $500 Reflected Xss
Slack - Email enumeration
Slack - Data exports stored on S3 can be scraped easily
Slack - Open redirect vulnerability
Slack - State parameter missing on google OAuth
Slack $500 Stored XSS in Channel Chat
Slack - Stored XSS on this link https://sehacure.slack.com/help/requests/
Slack - CSRF on add comment section
Slack - csrf
Slack $100 CSRF vulnerability on https://sehacure.slack.com/account/settings
Slack $500 Stored XSS in username.slack.com
Slack $200 URL redirection flaw
Slack $200 Stored XSS in www.slack-files.com
Slack - Session Fixation disclosing email address
Slack $100 Slack OAuth2 "redirect_uri" Bypass
Slack $100 Broken Authentication (including Slack OAuth bugs)
Slack $150 Reflective XSS can be triggered in IE