As soon as we published a security.txt, we started received multiple beg bounties on a weekly basis.
The thing is, that responding to them (regardless what you write) often triggers a drip mail campaign with sad stories of how the 'hackers' are trying to pay for college, or their sick mother, or whatever typical scam story they can come up with. Within days you'll be sifting through dozens of emails, trying to find legit, serious reports.
This increases the risk that you skim over a serious report. You now risk a reputation problem, because if you do not reply in a timely manner, some hackers will resort to publication as a way of public shaming. Please, if you are a legit white hat hacker, try to understand with how much junk reports we have to go through. Obviously, we want to credit real hackers :-)
Anyway, we deleted our security.txt. This dropped the number of beg bounties significantly (no more automated emails). A real human hacker will find a contact address anyway.
Unfortunately we also started receiving this claim shortly after creating a SECURITY page, based on this I've just decided to replace our email with a link to our online contact form so we can be reached without disclosing our Email, hopefully that is enough to prevent automated email systems.
I too don't think you should have a `security.txt`, but in, meh, 5 years of fielding bad bounty reports for various companies for various reasons, I've never seen someone appeal to their sick mother or their college fund. I usually get one additional ask after I say "no", and then they move on.
I'm not sure I see the reputational risk you face here, since we all know the score on these reports. What are they going to do, tweet that you have an inadequate SPF record?
> What are they going to do, tweet that you have an inadequate SPF record?
Heh, well, given that I run an e-mail hardening platform, our customers rely on our consulting on how to (amongst other techniques) set an adequate SPF record. So, in my specific case, this would actually be bad publicity.
But what I meant was that for serious security issues, white hat hackers often do a writeup, as part of the public incident report. These often contain timelines. If it contains "contacted security@company.com, but got no response", this will make you look bad. This is what I meant with the reputation risk.
I guess my point is that it's only a risk if they're finding real vulnerabilities, and if that's what they're doing, our sympathies should be recalibrated. (Obviously, I think it's most likely that they're not finding real bugs).
That's not what's happening. If you're missing real bounty reports because you can't pick them apart from bogus SPF-type reports, that's on you. We've all had something like 10 years of experience fielding bounty reports and the one unmistakable dominant theme of everyone's experience with them is that almost all of the rando inbound reports are junk. Every competent security@ practice handles them just fine.
It's annoying, but frankly what can you really expect? Bounties are spec work. I think spec work is fine, and that designers are mostly wrong about pushing back on it (it's a norm in all sorts of professions) but I'm sure as hell not going to get up on a high horse about the quality of my spec submissions. If I want to cultivate an expectation of high-quality reports, I retain consultants, or run a Google-style program with nosebleed-high payouts for sev:med bugs.
The people we're talking about are spraying and praying for $50 bounties. They're not getting in the way of anyone's RCE report.
The researchers who get no response from valid bugs are running into vendors who run bad software security practices. That's not the fault of low-skilled amateur researchers.
Why not have a specific web form on your contact page that says "report a bug" that takes 1) contact email, 2) example compromised data (if any), 3) steps to reproduce, and 4) description of the bug.
A contact page that has a form to be filled out with an auto response stating that there is no bounties paid out, but all bug reports are read.
Any downsides? Full disclosure, I have not maintained the code on a website or server before.
You need to answer arbitrary, informal emails to `security@` no matter what. You can't impose a protocol on top of that. Serious security researchers can reasonably blow off coordination with you if you get fussy with it.
I feel like every 2-3 months a blog post rockets to the top of HN where a hacker discloses a vuln and says “I reported this to $company 10 months ago and it is still present in the most recent version of $OS”. If it’s AppAmaGooSoft they can take the hit (especially if it turns out to not be that bad) but I imagine for a smaller company (like one of the more indie cloud hosts) that could be damaging to their reputation among the folks who hang out here (many of whom purchase cloud hosting and other tech stuff).
Let me put it this way: I've never seen one of these beg-bounty people publicly shame a company for not fixing their SPF records. I think the reason for that is that it wouldn't work, but either way: it's not a real threat.
I don't even see evidence of the threat being made!
IMHO, what looks bad is when the company responds and asks for more time and more time and doesn't seem to be doing anything concrete. That shows lack of communication and coordination which looks worse than maybe missing one email or customer service request. Email doesn't always get delivered and customer service requests don't always get read by people who are empowered to do anything about it. If there's a pattern of not acting on emails, that may be different.
All that said, security reputation doesn't seem like super important. I'm having trouble thinking of companies that have failed because of poor reputation in that area, despite having a desirable product otherwise. I'm not suggesting not to care about security, just that worrying about your reputation shouldn't be on your list of worries. Given that as an industry, we're still making the same security mistakes over and over, trying your best and learning from previous mistakes is a pretty good baseline. You can still get relative praise for reacting quickly and effectively to reports that are made public, even if you missed the early warning.
I was thinking about deploying some security.txt on our sites and your experience occurred to me, it is sort of like hanging a fishhook out there for all sorts of automated spamming.
There are, however, legitimate security researchers and consultants. If you are one of these and have a service you want to provide, then get in touch with me like everyone else and make your pitch. Get my permission to provide your service, instead of just "providing" it then sending me what feels like extortion threats to buy it.
I know that's not a popular opinion here, but IMO that idea is part of the problem, and exactly why the concept is so ripe for (and rife with) abuse.
I don’t know that I agree with looking at it that way. I find significant security vulnerabilities on sites from time to time (I have some modest security background but it isn’t my day job). I’m neither a security researcher or some kind of white hat hacker, just a concerned technically literate netizen.
I have no interest in a bug bounty, I just want to see holes get patched.
I’m not looking to provide some service, and I’m not actively probing for issues, I’m just letting people know that they’ve left their door open…
I hear you. But, I was referring to the term "white hat" in the context of this thread. Maybe I should've better clarified that.
So, the activity you're speaking of isn't what I had in mind. If you've discovered something that you freely report to help operators secure vulnerabilities, then that's one thing. But, this "business" of targeting companies uninvited, then requesting payment creates shady scenarios at best.
Many times, you have no idea who these people are or affiliated with, and whether they will exploit or sell this info on the black market if you don't pay them. You also don't know if it's the beginning of a drip, whereby they just continuously target you for one-off "payment requests" on other issues.
There's very much a predatory feel about it. If people want to offer a service for something this sensitive, important, and reliant on trust, then come through the front door and be transparent about what your service provides and how much it costs.
We get a bunch of these - to be fair to them as mentioned in the article 99% are small setting tweaks we’ve overlooked. I always find it awkward replying to these sorts of reports, usually I go with:
“Thanks for your report, we’ve updated the settings. We don’t have an official bounty program but we do sometimes offer them if the issue is severe enough. On this occasion it is not”
And that seems to work fine. For ones a little more involved we’ve paid out $50 a few times which they seem happy with and we’re generally ok to pay.
These setting tweaks are a source of spam, if you fix them you stop getting the emails.
I don’t have a problem with them generally but like Troy mentions the language they use can be quite manipulative and plays on your virtuous characteristics - short concise firm replies is what’s required and then ignore if they reply with beginning.
You might want to consider a "special thanks" page with the names of "white hat security researchers" who have pointed out issues. Public recognition costs you very little but for some of them it could be a significant career-building step, worth more than a few dollars or dinars.
Everybody had to start somewhere. Yesterday's skids are today's legit researchers. If this is something they actually want to pursue, it could make a world of difference.
I don't think "someone who just scans websites with automated tools reporting vulnerabilities" is inherently a bad thing. At worst you get a free invocation of a tool you didn't know existed, at best you start a dialog and integrate the tool in your automated testing.
No, I think at worst you waste your time and attention reading reports of benign issues from the invocation of an automated tool that you didn't care to execute. I think this is probably the worst, and median case.
Maybe there is a way this could be useful. "I'm a security researcher. I ran this tool on your site which found these vulnerabilities. Here's why I think these vulnerabilities may be meaningful, even if they are first seem not to be" is, I think, a nice contribution and, if you make a change based on those suggestions, that merits some kind of credit. That's not really what is discussed in the article though.
Everyone, no matter their skill level, should put 5% of their times toward mentoring and encouraging people to grow and build more.
Someone scanning websites and checking for vulnerability is probably a student curious about security. Nothing wrong with a tap on the back and a free acknowledgment.
The article makes it clear this person is behaving obnoxiously in a borderline threatening way. Why would you reward and encourage that behavior? They aren't a student, it's some guy running a script to scan for vulnerabilities and then beg for bounties.
That's assuming the settings tweaks are even correct. I've seen plenty of these types of things where the suggested change is incorrect or otherwise not a mere oversight but actively a bad idea.
I've received them unsolicited in batches. I think there are training camps that show people how to this (spot debatable configs that I may chosen intentionally) and ask for money. Haven't seen anything exploitable.
It's often scanned, too. We have a small honeypot in our Wordpress blog that scanners assume is a vulnerability. Often I see email coming minutes after a certain file is accessed.
Whenever we ask for details or true reproductions to the issue, they're unable to provide.
Yeah, I used to regularly get these reports when I ran a popular website. Sometimes (rarely), there was a glimmer of usefulness, but often it was just people telling us to turn off say TLS 1.0 or SSL 3; which would be nice... but we had to support clients that couldn't do better and modern clients won't use those anyway (or at least support the anti-fallback fake cipher, in cases where that helps). For things that only supported modern clients, we had better configs, but then those weren't www, so people didn't tend to test them.
Thanks for your report, we’ve updated the settings. We don’t have an official bounty program but we do sometimes offer them if the issue is severe enough. On this occasion it is not”
And that seems to work fine. For ones a little more involved we’ve paid out $50 a few times which they seem happy with and we’re generally ok to pay.
Interesting, the ones we have got are always after much larger figures. Some will link a hackerone or similar with a more serious version of what they are reporting to us that was reported to a billion dollar company to try and ground the value of their report.
FWIW we've also received the exact same email from the same named person with the same vague text of having "identified a vulnerability in your Web Application", judging from Troy's twitter thread he seemed to have sent the same email to many others.
We're still waiting on a reply to asses whether there's any validity in his claim. I guess what I'm curious is how do people best handle this situation? Normally if it's any other pc security threat or legal liability claim cold emailing us we'd just report spam & ignore but with a software vulnerability we're at duty to investigate, which I expect would make his vulnerability claim so effective with engagement.
Given this happened shortly after we added a SECURITY.md to our project with the contact email used, it wouldn't surprise me if he is just email spamming the same claim to projects with SECURITY pages where he'll expect some payment for just disclosing a GitHub reported dependency vulnerability that nearly every non-trivial npm project has.
You shouldn't have any particular duty to follow up with someone who's withholding a bounty report. If the report is good, you'll know it; you may get a report without details, but if they're for real, they'll include credentials (usually: a link to previous findings). If they're complete anonymous randos and don't provide details, they've got nothing.
If all they're saying is "Your software is vulnerable", that's not news. That's like saying the sky is blue, there's nothing to investigate without more details.
The beg bounty hunters make it a giant PITA to report genuine security issues. Even bigger companies end up going through platforms like HackerOne instead of providing a direct security contact, and you end up having to spend time proving/explaining to triagers that you have found an actual issue. (The reason why I refuse to use HackerOne is that they require you to agree to their arbitrary terms putting unreasonable restrictions on your ability to publish your research.)
Doubly annoying when you find a minor issue where you simply don't know whether the company cares about it [1]: Do you report it and risk ending up being flagged as a beg bounty hunter, or do you skip reporting it, potentially leaving an issue open that the company may be interested in fixing?
[1] Example: a site that requires TOTP both on login and sensitive actions but allows you to reuse the same TOTP for both if you're quick.
I don't think he has a particularly persuasive rebuttal to the argument that it's not honorable or productive to publicly shame someone who's asking to wash your car window for $1. "What if they were saying something's wrong with your car?" Wouldn't make much difference, Troy.
I think it does. And I think the argument that it is useful for other to learn about that person and the general approach they use and avoid being scammed a pretty persuasive argument.
The situation I imagine is someone outside of the parking lot showing up to me and telling me there is something wrong with my car, but they will only disclose it to me if I pay them $50. Then I happen to be an expert car mechanic and I know my car pretty well and I know whatever they tell me is irrelevant and definitely not a security concern. I think it is pretty justified to alert other car owners of that same parking lot that ”that guy in the blue shirt telling you you have a problem with your car is just a scammer, don’t pay him”. That’s nothing like complaining about a begger offering to wash your window.
It is useful even for real white hat hackers sharing actual problems.
I want to say this gingerly because who knows if I'm right, but here goes:
I think the only way to come to this kind of conclusion is if you're hearing about the SPF-record beg-bounty phenomenon for the first time in this article. Because we get these all the time. There can't be any benefit to singling any one of them out.
Further: this isn't a 419 scam. You're not soliciting wooden keyboards from people trying to ransack your bank account. These are just pentesters who are not (perhaps yet?) good at their job. The reports you get from them are dumb, but they're not usually wrong; they're just issues that nobody cares about.
You can write a post about the beg bounty fraud without using cruelty to stimulate the nucleus accumbens of a huge number of people. But it's harder to do it, because the underlying observation ("oh, there's a lot of bogus scanner-fodder bounty posts") is banal. Here, Troy wanted to light us all up. But he didn't want to work to do it. So he recast some hapless bounty dork as a scammer and built a whole post around administering justice to them. Gross.
There are a lot of disadvantaged people overseas and they're increasingly connected. They're fundamentally no less capable than we are. I look forward to their eventual overthrow of infosec.
There are a lot of disadvantaged people all over the world at the moment.
Thank you for this comment. This article and some of the comments here have made me enormously uncomfortable.
There are serious double standards where if privileged people do it, it's wise/clever/smart. If poor people do essentially the same thing, they are morally depraved abusers for wanting money.
The phrase "fake it til you make it" comes to mind here. For privileged people, that approach is celebrated and encouraged. Here, it's being maligned in a way that strikes me as classism.
> ”is if you're hearing about the SPF-record beg-bounty phenomenon for the first time in this article”
I don’t know what “gingerly” means, but you are right in this assumption. I only own small side projects sites, but the article felt like a useful warning to me in case I receive such a message some day.
I am more inclined to agree with you than before your reply, your point of view makes sense. I would still call the article more “helpful” than “gross” though.
"There's lots of annoying, unsolicited, bad bug bounty submissions" is a useful thing to point out, even if it's probably too boring for Troy's core audience to stand on its own. The phenomenon he's describing is real.
Honestly: if he hadn't brought up that he was called out for this and tried to rebut it, I wouldn't have thought to write about it. But he did, and, like I said, his argument is pretty weak.
There's a significant difference between low quality reports and an actual scam. Refusing to disclose without payment is a big red flag in my opinion. Those types of reports are extortion at the very least, if not necessarily outright scams.
Low quality reports that include a POC are, on the other hand, neither extortion nor scams. They may be problematic for other reasons (lowering the signal-to-noise ratio), but they don't fall into the same category as the aforementioned "no disclosure without payment" reports and should not be treated the same way in my opinion.
Agreed. Troy is shaming a serial scammer. We don't know anything else about the scammer's background other than that they calls themselves "Muhammed"
Moreover, the presumption that an Islamic name means they’re underprivileged or foreign-born is condescending, maybe even racist. My rich South Asian friends in high school had similar names, similar hacking proclivities and very much the same poorly English in their written correspondences.
I had much the same reaction when reading this, as someone who corresponded with one of these individuals this week.
The institution of bug bounties is structurally reliant on a huge wage gap between countries. “Picking the wrong country to be born in” is not a moral fault. Yes, many of the people engaged in bounty farming at scale are low-skilled relative to the average HN reader, but they are probably not low skilled relative to the average HN reader at the lowest skilled portion of your own career, and when you were being paid for your labor during that portion, you earned a month’s wages for this guy in ~hours of work.
It is also true that they don’t conform to our class norms in communications styles. That’s also something I’d suggest moderating one’s emotional response to out of noblesse oblige.
“I’m responding to this out of abundance of charity, but given literally no identifying information in the email I think there is a high probability I am speaking to a script rather than a human.
What do you want to tell me about what application specifically?”
They responded that they were a human and asked whether there was a bug bounty. I sent them a one word No. They replied “Thanks” and that was the end of it.
I wrote the first email on the thought that it might have been an early career security researcher possibly poorly calibrated on how to reach a security contact, and if I write it in the future, I will probably revise the “human” language as it doesn’t travel as well as I intended it to.
Perhaps:
“It would be more effective in the future to include details about the report or at least about which application you are reporting about to route emails like this effectively.” followed by the query.
I'm torn. I get why Troy is doing this and it feels justified from that perspective. But I can't shake the feeling that he is punching down.
Is the "White Hat" doing what Troy says he is doing? It seems so. Many not so technically versed people would maybe even be intimidated or scared by the approach. It is objectively wrong (without further circumstance).
But I think it can be attributed to unprofessional and incompetent behavior rather than malice. Troy is in a position of power and wisdom in this case. He _could_ try and educate/correct the actor by firmly rejecting his request and clearly stating what the issue is without trying to embarrass him, let alone publicly shame him.
---
An analogy that came to mind:
Dogs are this way. If a dog acts from a position of weakness (incompetence) and gets into the face of the other dogs, then that dog is "corrected", typically by one that enjoys some form of respect. If the corrected dog reacts accordingly (stops the misbehavior) the other dogs calm down again. The correcting behavior typically starts with very mild body language and then escalates further.
From then on it's settled. Publicly shaming others is a very human thing to do.
---
Again - torn. It feels both right and wrong. I wouldn't do it this way. Not with a person that I assume to be in a relatively weak position.
Sure. A scammer is probably substantially less well off than a Microsoft executive. Scammers are often not very well-off. That doesn't make their behavior acceptable or impolite to call out.
> He _could_ try and educate/correct the actor by firmly rejecting his request and clearly stating what the issue is without trying to embarrass him, let alone publicly shame him.
He's a "Microsoft Regional Directory" and a "Microsoft Most Valuable Professional", but those things are very confusingly named. He's not an employee of Microsoft.
Hmm. I guess I just kind of felt bad for the guy being publicly shamed and I didn't understand the negative impact of his behavior enough. I tried to rationalize my gut feeling.
Agreed. Troy's the-work-is-already-done argument is also (a) not logically sound even if it were true, and (b) not really true in the general case. Here's why—first, though, let's highlight a just-so argument from the post:
> Attempting to scare people with an alleged vulnerability then withholding information about it until a financial commitment is made all whilst claiming to be a "white hat" is dishonest, deceptive, and fraudulent.
"Withholding information" in this context really means the absence of extra work—of having reached a milestone where something of substance is known, and a problem arises that involves needing to make a decision about whether to pursue it to its ends or not.
Writing up a disclosure is something that takes work. Cleaning up a messy POC so that it can actually be understood by someone else (or just capturing one in a fixed form instead of something transient/ephemeral to begin with) is something that takes work. Being responsive to the other party's questions is something that takes work. Clearing time to make yourself available—even if the other party doesn't have any questions—is something that takes work.
When you are claiming that someone has "already" done "the work" when they notify you a problem exists, you forfeit the argument the moment you ask "What is it?"
The infamous squeegee men of New York will sometimes break your window or otherwise vandalize your car if you refuse their "service." Even if they don't say it a given encounter, every New Yorker knows the implied threat. I don't see anything wrong with shaming this behavior loudly and publicly.
Nobody is threatening to break your window in this story. I don't know what things are like in NYC, but when someone with a bottle of Windex walks up in to my car on the west side of Chicago, my first thought isn't "I should be angry at this person for creating this uncomfortable encounter".
Well, that's the thing, it's implied. Maybe that particular person standing right by your car with a metal pipe (or emailing about an unspecific vulnerability with a hint that payment is required to avoid a bad thing) has no intention to escalate to criminal mischief. Maybe! It's still highly exploitative and deserves to be called out, regardless of the circumstances of the actor.
Who's "us"? There are other people in this very thread talking about curtailing their bounty programs and security contact methods because of the behavior under discussion exploiting the public square, so to speak.
Well, we should summon the nanoluthiers for these people who booted up bounty programs with the expectation that most of the on-spec reports they received would be valid and not the product of automated scanners, because nobody told them they should ask literally anyone who has ever run a bounty program whether these kinds of reports are a norm for unsolicited bounty submissions, or whether they're worth the tradeoff.
People should curtail these "bounty" programs. There is a generalist expectation about how bounties work that is not all all rooted in empiricism. I get why: the idea that you could put a `security.txt` on your website and start getting people to send you good bugs without compensation on faith that you'd come up with a fair valuation and pay accordingly... well, it's a beautiful idea! The fact that it can't possibly work that way, and that acquiring a feed of valid sev:lo-sev:med bugs involves, for savvy companies who have been doing this for 20+ years, outlays of $15,000-$20,000 is, I think, problematic for that idea. If this is news to you, that's fine! But don't run a bounty program; you're not ready, and it is absolutely not a tech company norm that you have to run one of these things.
You're responsible for staffing security@ no matter what you do; you can't curtail it. But you shouldn't advertise to people that you're interested in unsolicited reports unless you're willing to wade through a of DMARC spam. That's the tradeoff for getting, every once in a blue moon, a free report of a real vulnerability.
Fine, nothing controversial about anything that you wrote. I simply don't agree that it's wrong to shame people who soft-extort businesses or individuals.
Why wouldn't it make much difference? An email from a self-proclaimed white hat who spins scary tales of security vulnerabilities is an obvious attempt to alert and frighten. They purposely withhold information regarding the nature of the "breach" and suddenly start demanding payment when questions are asked regarding evidence and scope of exposure.
This isn't a good Samaritan who wants a little quid-pro-quo. This is a classic extortion technique. The more we shame and expose these actors, the better. I think Troy did a great job posting about this topic in the manner that he did.
Being a salesperson doesn't somehow make you immune to being an immoral actor. There are sellers all over eBay selling junk tech or empty boxes using weasel words and attempting to exploit people with less technical know-how.
This Mohammed guy is just a slightly different version of it. He knows exactly what he's doing, which is peddling snake oil hoping to lure in the scared and the less knowledgeable. Morality is certainly a factor and I will continue to criticize these actors on that basis.
Well, you do you. We don't have to agree. But the power dynamic and the norms of this field don't really support the argument you're trying to make, and I'm certainly going to push back on Troy Hunt's version of that argument as well. There is in fact something squicky about the idea that people running low-effort bug bounty programs should have an expectation of high-quality reports, given that they're asking people to perform an extremely high-value service with no promise of compensation. I don't think it's immoral to set those terms, but I do think you surrender your high horse when you do it.
The first part of the blog has the same underlying issue— why would you publicize a retracted response? It read to me like the author’s just trying to start personal conflicts in public.
But does this person reaching out to Troy truly qualify as a “bad actor”? Maybe the attempted process of reporting the “bug” makes them an asshole but I wouldn’t go as far as bad actor. I was honestly kind of surprised to be reading this from Troy. I’m sure he does see loads of these things but this still seems sort of petty. Or if not petty at least not interesting enough to be on HN.
The first problem, as Troy pointed out, is that this sort of behavior poisons attempts to create a straightforward and useful bug-reporting mechanism, as anything that is straightforward gets buried in bogus beg reports.
The second potential problem (I do not know if it applies to this particular person) is that the beggar may be on the lookout for an uninformed and manipulatable person who can be comprehensively scammed.
If you don't think this should be on HN you can choose not to vote for it or avoid future links to troyhunt.com.
> If you don't think this should be on HN you can choose not to vote for it or avoid future links to troyhunt.com.
I am well aware of that and I imagine you know that. Please don't be pedantic.
Troy's content is typically high quality and engaging (i.e., I won't be avoiding it). This is not and I felt that on it's own was worth a comment (and is even more interesting than the post itself).
You can express your opinion of an article without implying that it should not even come up for discussion (which would, of course, have removed your means of expressing your disapproval to an audience that has, by its upvotes and participation in this discussion, demonstrated that the article does belong here! Arguably, it belongs here precisely because of the controversial ethical issue.)
You are clearly aware of the pointlessness of complaints couched in this manner, yet you chose to do so anyway. Are you also aware that the guidelines for HN specifically deprecate this sort of thing? Moderating a public forum is a difficult task, Dang does a great job, and, while I do not think you intended it, it can come across as somewhat disrespectful to express disapproval of the content of an article by suggesting that his moderation didn't match one's particular point of view.
> publicly shame someone who's asking to wash your car window for $1
I don't think this metaphor completely fits. A more apt metaphor might be someone telling you your tire pressure is too low when you know your tire pressure is perfectly appropriate for the given types of tires you have and climate you're at.
It's pretty annoying when my boss (or my boss's boss) ends up reading one of these emails and freaks out because they don't understand the severity of the problem. Usually when I see these emails they often are blasted to every email that can be found on the contact page, including things like sales channels. Explaining the context of security vulnerabilities that are irrelevant given our configuration is not a particularly fun or easy things to do to non-technical executives terrified of data breaches.
> I don't think he has a particularly persuasive rebuttal to the argument that it's not honorable or productive to publicly shame someone who's asking to wash your car window for $1.
That's a losing argument because it's a strawman anyway. Nobody's really offering to wash a car, outside of a bad analogy.
In want of a rebuttal, I offer the following:
It's not the sole responsibility of random software people receiving these dubious-at-best reports to address the problems caused by late-stage capitalism that put people in desperate situations to where they would need to resort to such behavior. There are probably a lot more political solutions to prevent people from being desperate. There's probably a side-discussion to have about what is the best tactic to help the most people in a given situation, and how software people can do their part, but it's ultimately a bigger problem than any of us.
Further, even if we waved a magic wand and fixed the very real human suffering that goes into the analogous case, that might get rid of the $1 window washers (because it's a thankless thing people do out of desperation), but it's less likely to eliminate what Troy is calling beg bounties. The reason is that the incentives for the latter are different than extreme poverty and homelessness; there's an element of fame-seeking and point-collecting on top of it. The platforms are gamified, you see.
In that regards, I would argue that it is more honorable to publicly shame the beg bounty crowd than someone who's asking to wash your car for $1. However, that just establishes the inequality, not the delta. I don't think I could convince anyone that it's totally honorable, just more honorable.
You used to be able to do `git clone https://codemirror.net`, which was kind of neat. But the constant barrage of emails from "security researchers" who had found a "vulnerability" (an exposed git directory holding an open source codebase), have made me configure my server to deny all .git paths.
I suspect 95% of the value provided by services like bugcrowd is preventing the emotional exhaustion of dealing with these type of people.
My favorite is i remember getting one about how the site suffers from having perfect-forward-secrecy, which is a "critical" TLS vulnerability that needs to be fixed immediately.
We have 'security bountry program' listed in our website footer. Also a security.txt. We still gets emails saying they found some kind of vulnerability and if we have a bounty program. Sometimes via our contact form where we can check what the user did on our website prior (usually: nothing). At this point it's spam.
Most infurating report was that there's a world-readable directory listing and people can download files, URL like http://dowloads.$mycompany.com/public with literally a README file explaining that all files are public and meant for people to download.
Have you all considered putting a category on your contact form for security reporting that automatically replies with the information about your program? It would give people the chance to find the desired path even if they miss the link in the footer.
Our company is small, security@$mycompany.com email and customer service email go to the same staff. We have a standard reply pointing to our bounty page. It explains all steps, what qualifies, what doesn't qualify, payment process, hall of fame. The more we explain the less we hope we need to manually answer. We paid out 20 bounties so far I think.
We got contacted by someone spoofing an openbugbounty.org report (similar domain, sent from a Gmail account if you checked headers). The report was copy-pasted from one for a different site, and it didn’t really apply for us (but you had to know the internals). Worse part: based on the email the spoofer used, and the one associated with their PayPal, they had two legit profiles in openbugbounty.org with hundreds of verified bounties.
On the other side of this I remember how diffiicult it was to get through to someone at a company who had somehow left their stripe secret key exposed (along with a bunch of other config vars, including paypal secret, and google private key).
I even gave them a specific curl command to see it. After not receiving any response I finally called up customer service, and sometime (months) later they finally fixed it. (They never responded once though, and I couldn't be bothered to ask if they rotated their keys like they should have since it was such an arduous process.)
I think there's a lesson in here about good intentions and what happens when you fail to consider abuse.
In this case, there's a whole cottage industry that seems to consist most of people with a script or two, some email templates, and a copy of Burp. Generally in some poor, underprivilged corner of the Earth. Each $50 or $100 bounty is quite a lot of money to them. $500 could easily be a month's average income there.
I have no doubt that plenty of them are good people, looking to better themselves from a deeply disadvantaged state and gain access to a lucrative profession. Yet many also seem to be no better than spammers with no interest in learning more about information security. They just want to run their script, blast out spam, and get a bounty or two.
Security.txt and the general way vulnerability reporting works is very vulnerable to this kind of abuse. It would be nice if there was a better way to handle it, but as Troy points out we're currently limited to networking. That's pretty far from ideal.
At my day job, I also handle our security enquiries, and we're very dilligent in following them all up, but most are quite low quality, and fairly spammy as you said.
What we've done to try and cut it down, is we link to a hacker one bug bounty that excludes a lot of the low quality stuff as out of scope, and that seems to cut down on the low quality ones.
I have received anonymous security notices that suggest we should send money to the "researcher" who wishes to remain anonymous. While I appreciate receiving information on security vulnerabilities, if the person who contacts me remains anonymous then I consider their communication to be a threat and extortion.
If anyone wishes to report a security vulnerability in good faith, and they hope for remuneration of any sort, then they need to identify themselves unambiguously.
I can understand wanting stay anonymous; many companies are hostile towards people who find security vulnerabilities. If they have a real vulnerability and share it I'd accept their request to stay anonymous.
If they would not share until I paid, or did something sketchy other than requesting anonymity then I would probably consider it more on the hostile side, but not just because they didn't want to share their true name.
One case I didn't see mentioned here, is where well-meaning programs can support beg bounties: I've seen reports sent to an open source product through a platform which is offering up their own bounties for security fixes in open source. A noble idea, but then you get meaningless security reports, combined with them begging you to just go mark them as real security issues so they get a payout, even if it's not a real security issue.
I’ve received quite a few reports from them for my open source projects (it seems once you respond to one, everyone piles on). Some of them are invalid, duplicate, or only involve configuration of a demo app but for the most part I have been OK with them. None of the reporters have “begged” me for anything yet and in something like 75% of the cases the result has been a small bug fix to my projects.
I’ve had enough interaction with them that I’ve even added a SECURITY.txt file referencing the program to some of my repos.
I won't say such a solution is without merit, by any means, but it lowers the barrier significantly to mass requests of bug bounties of increasingly trivial nature. Since the entity paying out has less knowledge of the product being reported on, it's arguably difficult for them to know if a bounty is justifiable, and since the developer isn't on the hook for the money, they have little incentive not to agree to pay out.
The combination to me feels like a recipe for a lot of payouts for dubious reports. And in at least one case, a request was made to mark a report as valid even though it wasn't really a security flaw or something that was going to be "fixed".
It's good to hear someone has had a positive experience though!
Companies tend to pay more attention, in my experience, when you tell the company you're doing coordinated disclosure, and send along a link about how it works, and how it helps the company with security and goodwill.
We have an up to $250,000 bug bounty for reporting a critical vulnerability in some of our code, as well a whole page on reporting issues.
Never had a major report, but we get one or two of these SPF/DKIM/Headers/SSL per week.
On memorable guy kept emailing us back from different email addresses and using different names for each, but following right along with the thread of the conversation...
Why are the later email exchanges in this post documented through embedded tweets of images of text? On mobile most of the images are cut off in this display format, requiring readers to click through to Twitter to read each one of them. I don't really understand why people do this when they can either embed the image directly or just copy-paste the text.
There seems to be a cottage industry of folks scraping places like ProductHunt and hitting them up with these emails. We posted to ProductHunt twice and got multiple "beg bounties" along with someone claiming they could get us to #1 product of the day, for a nominal fee of course.
So I wonder how much of this is related to an article I read a while back about certain cyber sec (legit or not) university programs that encourage (read: require) their students to essentially pull this stuff in order to get their names out there (name of the individual and/or the school). The effort is pretty much a naked attempt to drum up a pile of "finds" and show your socials that you are a 'security professional' (padding the resume, so to speak). The thing about this effort is that those schools are actively driving their students to do this in order to graduate, if the article was correct..... Not certain if this is the other side of the situation, but compelling.
What's wrong with full disclosure? It's the only thing that really works.
So what if someone is slightly embarrassed? Lag time for "responsible disclosure" is often on the scale of months-to-quarters. If it's truly a real security problem and not just some made up attack that can only happen in a lab under ideal conditions, it will be a red-ball.
So, disclosure policy is kinda an active discussion within the security community but there is a general move away from coordinated disclosure (aka responsible disclosure) where the vendor and reporter coordinated on disclosing the vulnerability, not publicly disclosing until the vendor okays it.
Coordinated disclosure puts a lot of power in the vendor to simply ignore or delay fixing issues, and frankly may not actually be the "responsible" course of action. Full disclosure, where the first warning anyone has about the issue is when all the details are dropped about it to the public _may_ result in a faster patch time but it also increases risk of it being weaponized during that in-between period. There is the chance it was being used in-the-wild without being known also, but releasing the information increases the risk of those in the-wild-attacks but reducing the overhead necessary to carry them out.
All that said, there is a newer option that has been pretty steadily gaining popularity over the last seven or so years. Deadline-based disclosure. This did exist before, but really gained popularity in recent years as Google's Project Zero adopted it as their disclosure policy. This is the idea where the reporter discloses a vulnerability which starts a countdown to the public disclosure (90 days is fairly common, but I've seen 30, 60, and 180 reasonably often also)
I think this deadline-based disclosure option strikes a good balance between the benefits of coordinated, and full disclosures.
I don’t agree with the holier then thou gatekeeping that Troy is attempting to justify here
I do agree that Responsible Disclosure™ is bullshit, “beg bounties” are a symptom. Troy’s approach is a symptom. Saying “look at me, I never ask for money” is so immature and privileged and lacks empathy when he goes through the exact same thing but then blames it on other people. He genuinely believes that his database of hacker goodies and monetization paths is better in some moral sense and says “no, everyone else is wrong” after people on twitter are like “dude, wtf”.
It would be wrong even if he had zero monetization paths too.
> Saying “look at me, I never ask for money” is so immature and privileged
If I find a vulnerability in your website, I'll disclose it publicly in 90 days, and I want $$$$ to disclose it to you early, that sounds extremely close to me blackmailing you for protection money.
Whereupon you might well decide, instead of paying, that you'll go to the cops and try to get me arrested for blackmail/hacking.
To me, a policy of never asking for money isn't "privilege", it's common sense.
It’s a symptom of a broken industry, you didn’t disprove a thing except telling us all you didn’t know what symptom was referring to
I intentionally didn’t offer solutions as that’s not necessary to point out that there is a different problem where trying to shame everyone into compliance is a dumb approach
The thing is, that responding to them (regardless what you write) often triggers a drip mail campaign with sad stories of how the 'hackers' are trying to pay for college, or their sick mother, or whatever typical scam story they can come up with. Within days you'll be sifting through dozens of emails, trying to find legit, serious reports.
This increases the risk that you skim over a serious report. You now risk a reputation problem, because if you do not reply in a timely manner, some hackers will resort to publication as a way of public shaming. Please, if you are a legit white hat hacker, try to understand with how much junk reports we have to go through. Obviously, we want to credit real hackers :-)
Anyway, we deleted our security.txt. This dropped the number of beg bounties significantly (no more automated emails). A real human hacker will find a contact address anyway.