I remember when I was a teenager I found a huge security flaw in a website: they allowed to include any PHP file passed as a query string parameter, and that file could be a remote one too.<p>They didn't listen to me and I found that offensive, so I used the flaw to get access, and leave a message on their FTP server. I didn't destroy nor steal any data. They responded by reporting the incident to the police.
I don't really understand the point of making a big stink about Beg Bounty Hunters. They're invariably people in developing countries, for whom occasional SPF or Clickjacking payouts will be meaningful. And there's an unbounded supply of them. They're not going away. All you can control is the way you respond to them; lashing out at them in public seems like a pretty unhealthy response. Not for them; who cares? There's going to be 20 more right behind them. But I mean, just for your own sense of well-being.
> Alas, all reasonable measures were exhausted without response, I loaded the data into Have I Been Pwned (HIBP) and <i>then</i> they took notice<p>Every single time. They don't really care about users, their safety and privacy. They care about legal liability and not looking foolish in public. It seriously makes me wish people would just publish vulnerabilities straight up complete with exploit source code so they'd have literally no choice but to care.
I run a domain for our community association. I had an “ethical hacker” discover that I had neglected to set up spf records for that domain. I had to deal with him sending a bunch of nasty emails to our other board members after I refused to pay him for his “discovery”. (Actually I offered him a cut of my salary as a board member, which at $0, came out to be… less than he was hoping for)<p>I’ll definitely keep a link to this for next time this happens.
I get a lot of these but I have to admit I have a few favourites:<p>1. "I can download archives of your public mailing list from your website!"<p>2. "I can download tarsnap source code from your website!"<p>3. "I can telnet to port 25 on your mail server and send you an email!"<p>I have the misfortune of being an early offerer of bug bounties -- and being unusual in offering bounties for all bugs, not just security bugs -- which means that Tarsnap shows up pretty quickly when bounty beggars start looking for targets.
I get that Troy is probably tired of receiving beg bounties, but as a security researcher himself, I find this post a bit distasteful and discouraging towards the people who could as well be on their way to finding bigger vulnerabilities.<p>Reports on lack of SPF/DMARC records on security headers can be annoying, and often false, because there are some legitimate cases an SPF record with `~all` is necessary, or you have to have a permissive CSP for whatever reason.<p>I would have just deleted their email and moved on.
e: I just noticed, this post was from 2 years ago. It should have (2021) in the header.<p>---<p>I help run a bug bounty program, we get a lot of submissions. Way too many of them are zero or low effort. The SPF meme one definitely resonates with me, we get it a whole lot.<p>Occasionally we will get someone who submits a half dozen variations of the same zero/low-effort report. When we turn around and deny them all (because there's no actual exploitable issue). There's a good chance they will then spend the next week replying to our emails asking for money because they put a lot of effort into it, and/or disputing our evaluation.<p>It's frustrating dealing with that, and I can certainly sympathise with wanting to reply to someone who's begging you for money with a "no, go away".<p>Perhaps Troy just needed to blow off some steam, but I think he'd be better having a saved reply in his email saying he doesn't pay bug bounties for personal projects/sites, and just send that.<p>I think it'd go over better than having what seems to be an overly aggressive post.
> Want to be a bounty beggar? It's dead simple, you just use tools like Qualys' SSL Labs, dmarcian or Scott Helme's Security Headers, among others. Easy point and shoot magic and you don't need to have any idea whatsoever what you're doing<p>You've described 90% of our cybersecurity department.
> I don't know how many disclosures I've done ... (100+, surely), but I have never, ever - not even once - asked for money. But Hammad isn't me<p>I agree with everything in this post except this line. It's nice that the author doesn't need the money, but some people do. To me, the problem is not sharing after the answer is no, or not asking up front, not the fact someone is asking for money.
Reading the accompanying cloudpets article is very similar to my experience with reporting exploits.<p>Found a XSS vulnerability on a very popular danish website and 0 contact since reporting. The vulnerability still exists and even found a few less severe bugs
After reading this HN post in the morning, I've received one of those SPF ~all beg bounties via email today. It ends with:<p>From: whiteboxtesting01@gmail.com<p>> Waiting for your response and hoping for a bounty reward for responsibly disclosing this issue to your website. Furthermore, I may attempt to contact you again if I do not receive a response to ensure that my message has reached you.
I guess I wonder about the opposite side of this. While I hate the beg bounty people as well, I don't think security researchers should work for free. I have found several security vulnerabilities that I have never reported to the company because their security policy was basically "send us everything you found for free and we won't give you any credit".
I love the term, it's appropriate. In my experience many of these beg bounties are automated and non-sensical. Script kiddies looking for a quick and easy buck. Generally when they are directed to an actual bug bounty program on HackerOne or the like they don't follow through.
A bit off topic: I am genuinely surprised that he gets to blog (regular and micro via Twitter/X) with such a savage style. In many mega corps, even tech, they would eventually curtail this type of blogging. Steve Yegge is a pretty famous example where even Google was trying to curtail his blogging topics and style.
I know someone that would find security holes in random company sites and email them about it. They never asked for money.<p>Most of the time, the company sent an angry response with threats of calling the police. I always thought this was stupid.<p>I would never look for security vulnerabilities on a company site, unless I'm hired to do so. The main issue is that you have no idea if what you are doing will affect a production sites.
Throwaway account for obvious reasons. I've been employed as a triager on two primary bug bounty platforms for over seven years. The circumstances are distressing and carry tangible real-life consequences. I'm open to answering questions within my personal comfort zone.
Why is most of the substance of this post giant block quote links to his own Twitter? Clicking through to those is painful; it’s not like the author can’t afford to host some screenshots on his own domain.
Surely "false positives" for security vulnerabilities are better than no emails at all...<p><pre><code> "If you put an email on a website, you will get spam"
</code></pre>
<i>- A fundamental law of the internet</i>
I understand the problem, beggars add noise to an important contact signal point…<p>But this idea that people '<i>did</i> actually already do the "work" for free' so don't deserve remuneration… isn't great.<p>Lot's of people do <i>spec work</i> to try and get paid, or to get more work. The recipient is free to negotiate, rebuff or simply ignore it, but this idea that time sunk is valueless is unhelpful.<p>Not defending "Hammad" here. If you do spec security work you <i>need</i> to lead with what you've got, even if that's just a rough CVE severity rating, and your price. But I think I'd rather have people checking my configuration and taxing me for my errors than not to know at all.