As soon as we published a security.txt, we started received multiple beg bounties on a weekly basis.<p>The thing is, that responding to them (regardless what you write) often triggers a drip mail campaign with sad stories of how the 'hackers' are trying to pay for college, or their sick mother, or whatever typical scam story they can come up with. Within days you'll be sifting through dozens of emails, trying to find legit, serious reports.<p>This increases the risk that you skim over a serious report. You now risk a reputation problem, because if you do not reply in a timely manner, some hackers will resort to publication as a way of public shaming. Please, if you are a legit white hat hacker, try to understand with how much junk reports we have to go through. Obviously, we want to credit real hackers :-)<p>Anyway, we deleted our security.txt. This dropped the number of beg bounties significantly (no more automated emails). A real human hacker will find a contact address anyway.
We get a bunch of these - to be fair to them as mentioned in the article 99% are small setting tweaks we’ve overlooked. I always find it awkward replying to these sorts of reports, usually I go with:<p>“Thanks for your report, we’ve updated the settings. We don’t have an official bounty program but we do sometimes offer them if the issue is severe enough. On this occasion it is not”<p>And that seems to work fine. For ones a little more involved we’ve paid out $50 a few times which they seem happy with and we’re generally ok to pay.<p>These setting tweaks are a source of spam, if you fix them you stop getting the emails.<p>I don’t have a problem with them generally but like Troy mentions the language they use can be quite manipulative and plays on your virtuous characteristics - short concise firm replies is what’s required and then ignore if they reply with beginning.
FWIW we've also received the exact same email from the same named person with the same vague text of having "identified a vulnerability in your Web Application", judging from Troy's twitter thread he seemed to have sent the same email to many others.<p>We're still waiting on a reply to asses whether there's any validity in his claim. I guess what I'm curious is how do people best handle this situation? Normally if it's any other pc security threat or legal liability claim cold emailing us we'd just report spam & ignore but with a software vulnerability we're at duty to investigate, which I expect would make his vulnerability claim so effective with engagement.<p>Given this happened shortly after we added a SECURITY.md to our project with the contact email used, it wouldn't surprise me if he is just email spamming the same claim to projects with SECURITY pages where he'll expect some payment for just disclosing a GitHub reported dependency vulnerability that nearly every non-trivial npm project has.
The beg bounty hunters make it a giant PITA to report genuine security issues. Even bigger companies end up going through platforms like HackerOne instead of providing a direct security contact, and you end up having to spend time proving/explaining to triagers that you have found an actual issue. (The reason why I refuse to use HackerOne is that they require you to agree to their arbitrary terms putting unreasonable restrictions on your ability to publish your research.)<p>Doubly annoying when you find a minor issue where you simply don't know whether the company cares about it [1]: Do you report it and risk ending up being flagged as a beg bounty hunter, or do you skip reporting it, potentially leaving an issue open that the company may be interested in fixing?<p>[1] Example: a site that requires TOTP both on login and sensitive actions but allows you to reuse the same TOTP for both if you're quick.
I don't think he has a particularly persuasive rebuttal to the argument that it's not honorable or productive to publicly shame someone who's asking to wash your car window for $1. "What if they were saying something's wrong with your car?" Wouldn't make much difference, Troy.
You used to be able to do `git clone <a href="https://codemirror.net" rel="nofollow">https://codemirror.net</a>`, which was kind of neat. But the constant barrage of emails from "security researchers" who had found a "vulnerability" (an exposed git directory holding an open source codebase), have made me configure my server to deny all .git paths.
I suspect 95% of the value provided by services like bugcrowd is preventing the emotional exhaustion of dealing with these type of people.<p>My favorite is i remember getting one about how the site suffers from having perfect-forward-secrecy, which is a "critical" TLS vulnerability that needs to be fixed immediately.
We have 'security bountry program' listed in our website footer. Also a security.txt. We still gets emails saying they found some kind of vulnerability and if we have a bounty program. Sometimes via our contact form where we can check what the user did on our website prior (usually: nothing). At this point it's spam.<p>Most infurating report was that there's a world-readable directory listing and people can download files, URL like <a href="http://dowloads.$mycompany.com/public" rel="nofollow">http://dowloads.$mycompany.com/public</a> with literally a README file explaining that all files are public and meant for people to download.
We got contacted by someone spoofing an openbugbounty.org report (similar domain, sent from a Gmail account if you checked headers). The report was copy-pasted from one for a different site, and it didn’t really apply for us (but you had to know the internals). Worse part: based on the email the spoofer used, and the one associated with their PayPal, they had two legit profiles in openbugbounty.org with hundreds of verified bounties.
On the other side of this I remember how diffiicult it was to get through to someone at a company who had somehow left their stripe secret key exposed (along with a bunch of other config vars, including paypal secret, and google private key).<p>I even gave them a specific curl command to see it. After not receiving any response I finally called up customer service, and sometime (months) later they finally fixed it. (They never responded once though, and I couldn't be bothered to ask if they rotated their keys like they should have since it was such an arduous process.)
I have received anonymous security notices that suggest we should send money to the "researcher" who wishes to remain anonymous. While I appreciate receiving information on security vulnerabilities, if the person who contacts me remains anonymous then I consider their communication to be a threat and extortion.<p>If anyone wishes to report a security vulnerability in good faith, and they hope for remuneration of any sort, then they need to identify themselves unambiguously.
One case I didn't see mentioned here, is where well-meaning programs can support beg bounties: I've seen reports sent to an open source product through a platform which is offering up their own bounties for security fixes in open source. A noble idea, but then you get meaningless security reports, combined with them begging you to just go mark them as real security issues so they get a payout, even if it's not a real security issue.
Companies tend to pay more attention, in my experience, when you tell the company you're doing coordinated disclosure, and send along a link about how it works, and how it helps the company with security and goodwill.<p><a href="https://github.com/joelparkerhenderson/coordinated-disclosure" rel="nofollow">https://github.com/joelparkerhenderson/coordinated-disclosur...</a>
We have an up to $250,000 bug bounty for reporting a critical vulnerability in some of our code, as well a whole page on reporting issues.<p>Never had a major report, but we get one or two of these SPF/DKIM/Headers/SSL per week.<p>On memorable guy kept emailing us back from different email addresses and using different names for each, but following right along with the thread of the conversation...
Why are the later email exchanges in this post documented through embedded tweets of images of text? On mobile most of the images are cut off in this display format, requiring readers to click through to Twitter to read each one of them. I don't really understand why people do this when they can either embed the image directly or just copy-paste the text.
There seems to be a cottage industry of folks scraping places like ProductHunt and hitting them up with these emails. We posted to ProductHunt twice and got multiple "beg bounties" along with someone claiming they could get us to #1 product of the day, for a nominal fee of course.
So I wonder how much of this is related to an article I read a while back about certain cyber sec (legit or not) university programs that encourage (read: require) their students to essentially pull this stuff in order to get their names out there (name of the individual and/or the school). The effort is pretty much a naked attempt to drum up a pile of "finds" and show your socials that you are a 'security professional' (padding the resume, so to speak). The thing about this effort is that those schools are actively driving their students to do this in order to graduate, if the article was correct..... Not certain if this is the other side of the situation, but compelling.
What's wrong with full disclosure? It's the only thing that really works.<p>So what if someone is slightly embarrassed? Lag time for "responsible disclosure" is often on the scale of months-to-quarters. If it's truly a real security problem and not just some made up attack that can only happen in a lab under ideal conditions, it will be a red-ball.
I don’t agree with the holier then thou gatekeeping that Troy is attempting to justify here<p>I do agree that Responsible Disclosure™ is bullshit, “beg bounties” are a symptom. Troy’s approach is a symptom. Saying “look at me, I <i>never</i> ask for money” is so immature and privileged and lacks empathy when he goes through the exact same thing but then blames it on other people. He genuinely believes that his database of hacker goodies and monetization paths is better in some moral sense and says “no, everyone else is wrong” after people on twitter are like “dude, wtf”.<p>It would be wrong even if he had zero monetization paths too.