In my country there is a sort of obligation to get 10% of value in case you find something valuable but is more applied to found money. Many times people just return what they have found without taking any reward. This could be extrapolated to bug bounties as well. How much would Slack or its clients potentially loose, if this bug was exploited? I think that everybody could agree on some sum, lets say 200k USD. In that case 20k should be paid.
Another approach is to take invoice for last security audit and simply pay the whole amount of that invoice to the researcher. If none was ever done (good God!), just some usual quote for pen testing the targeted application could be applied.
HackerOne could also enforce minimum payouts per exploit category.
Another approach is to take invoice for last security audit and simply pay the whole amount of that invoice to the researcher. If none was ever done (good God!), just some usual quote for pen testing the targeted application could be applied.
HackerOne could also enforce minimum payouts per exploit category.