Yeah, although technically it's "out of scope", I think there are times when you should stop debating the technicalities and consider the business impact.
I mean, do you look at that demo and think "yeah, that's technically just 'important' let's fix it in 2 months"?
The app has been updated multiple times since, but you can debug Slack and other Electron apps to see the context they are running with. Electron apps merge desktop functionality with web and sometimes it's possible to find abusable functions - e.g. filesystem, leaking dangerous Electron objects etc.
In this case it was possible to abuse lack of context isolation to overwrite functionality (first part of the JS exploit). This changed function behaviour to return (leak) a BrowserWindow class (https://www.electronjs.org/docs/api/browser-window) when calling window.open(). A BrowserWindow class allows to instantiate a new window with your own security settings :)
Context matters. In this case it was a challenge because of previous research and I would've done it just for fun and the experience. I'm lucky I can afford to do that. Doesn't mean I don't value compensation.
In other cases maybe yes, maybe no - for some nonprofit, maybe someone needs help? are they a business and can they afford to compensate this kind of work? maybe it is some prominent product? there is no simple answer
Yes they should and I think I could. This exploit was more of a fun challenge.
I support and agree to everything you are saying. I love the community response. I too loathe the bug bounty asymmetry in power between corporations and reporters, but it exists.. by design. How do you imagine a researcher can 'demand' more money in this situation? They can choose the amounts arbitrarily and there is nothing legal or ethical you can do about it.
I haven't seen any proposals for real solutions - how would you ask this? How do you decide the amount for each company? Solutions, which do not bypass ethics or laws. I hope that 'the market' will solve this eventually and I think I at least raised awareness.
I agree with you. It's super low, but I and others will just ignore it in the future and ultimately they lose.
However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.
I consider bug bounties like competitions. The 'prize money' is defined beforehand. You don't have to compete if you don't want it. You can also compete for the 'notoriety'. Knowing the stakes, do you complain after getting 'first place'?
Everything you own or do is only worth as much as someone is willing to pay for it, everything else is just speculation.
Sure, absolutely they exist. But in my opinion they are the absolute minority. I've been in security for long enough to know that most people are good, otherwise we'd have major problems every day.
99% of people saying something about black markets or govt agencies have never really faced this decision or thought about it for more than 5 minutes. So it was a question - have you REALLY thought about it?
No, I do agree - from my perspective C/C++ class bugs are more difficult. Maybe they see this as magic as well.
Still, it was painstaking work and in either case CountryX will easily surpass those difficulties.