The Downside of Thanking Security Contributors

You&#x27;re pretty much doing everything right. You have a respectful disclosure page. It tells people not to disrupt the service. You could, if bogus signups are annoying you, set up a crappy staging instance of your app and direct testers there.<p>I might further:<p>* Fix the disclosure page so that it doesn&#x27;t reserve thanks for people who find &quot;high or critical&quot; vulnerabilities. Sev:medium in security-researcher-land is XSS and CSRF, both of which probably merit thank-yous. I&#x27;d just thank publicly anyone who sends you a <i>valid</i> issue.<p>* Post to Twitter (under a DoorkeeperSecurity alias) the SHA1 hashes of the titles of disclosed vulnerabilities, so you can &quot;notarize&quot; findings and settle grievances about who found what first.<p>* Go ahead and live with people sending you annoying security reports. People will do much worse things to you than that over the coming years. If your service does well, eventually people are going to stop &quot;warning&quot; you about DoS-susceptibility, and just start blackmailing you about DoS attacks.<p>But otherwise, I&#x27;m not sure I see the downside here. The alternative, of course, is for people to find flaws on your site and then write up hysterical blog posts about it. Think of the annoyance you&#x27;re dealing with as a small payment in exchange for (some) control over the security story of your site.

I&#x27;m responsible for information security at one of the other startups listed on BugSheet. As a heads-up, you&#x27;re going to want to ask bugcrowd.com to remove your company from their list [1], also. We saw a pretty steep increase in the number of daily reports when first listed (4-5&#x2F;day to &gt;30&#x2F;day) and it appears someone recently added your company to their site.<p>I&#x27;ll also echo what droopybuns stated - creating templates that can address preliminary communication (duplicates, request more info, accept, etc.) will greatly reduce the amount of time you feel as though you are wasting. Some people I know tend to ignore the crazy ones but I generally prefer the &quot;kill them with kindness&quot; approach. One email explaining that you do appreciate the time they spent trying to help secure your site can do a lot to prevent harassment and potential bad press.<p>Best of luck - responsible disclosure programs are never fun for the person sifting through the reports but once in a while they do expose actual vulnerabilities and on those days, I&#x27;m happy we do it.<p>[1] <a href="https://bugcrowd.com/list-of-bug-bounty-programs" rel="nofollow">https:&#x2F;&#x2F;bugcrowd.com&#x2F;list-of-bug-bounty-programs</a>

If you aren&#x27;t paying or updating your list of contributors, then I will just email Full-Disclosure, which also doesn&#x27;t pay but functions as a permanent record of those who meaningfully contribute to security.

&gt; Not only are they reporting trivial issues, but they also aren’t testing our site in a respectful fashion, by doing stuff like signing up to real events with fake profiles.<p>2nd to last paragraph mentioned this which seems like the real issue behind this whole article. Receiving a couple of security emails a day isn&#x27;t a problem but the fake activity sounds like it&#x27;s bad for regular users.<p>No idea how to stop something like this though, maybe put up a page for bounty hunters with some clear guidelines on how they&#x27;re expected to act?

Link to the page&#x2F;list in question: <a href="http://www.doorkeeperhq.com/responsible_disclosure" rel="nofollow">http:&#x2F;&#x2F;www.doorkeeperhq.com&#x2F;responsible_disclosure</a>

Just note that the list is no longer being maintained.

you definitely exaggerate your problem