I think there's a lesson in here about good intentions and what happens when you fail to consider abuse.
In this case, there's a whole cottage industry that seems to consist most of people with a script or two, some email templates, and a copy of Burp. Generally in some poor, underprivilged corner of the Earth. Each $50 or $100 bounty is quite a lot of money to them. $500 could easily be a month's average income there.
I have no doubt that plenty of them are good people, looking to better themselves from a deeply disadvantaged state and gain access to a lucrative profession. Yet many also seem to be no better than spammers with no interest in learning more about information security. They just want to run their script, blast out spam, and get a bounty or two.
Security.txt and the general way vulnerability reporting works is very vulnerable to this kind of abuse. It would be nice if there was a better way to handle it, but as Troy points out we're currently limited to networking. That's pretty far from ideal.
At my day job, I also handle our security enquiries, and we're very dilligent in following them all up, but most are quite low quality, and fairly spammy as you said.
What we've done to try and cut it down, is we link to a hacker one bug bounty that excludes a lot of the low quality stuff as out of scope, and that seems to cut down on the low quality ones.
In this case, there's a whole cottage industry that seems to consist most of people with a script or two, some email templates, and a copy of Burp. Generally in some poor, underprivilged corner of the Earth. Each $50 or $100 bounty is quite a lot of money to them. $500 could easily be a month's average income there.
I have no doubt that plenty of them are good people, looking to better themselves from a deeply disadvantaged state and gain access to a lucrative profession. Yet many also seem to be no better than spammers with no interest in learning more about information security. They just want to run their script, blast out spam, and get a bounty or two.
Security.txt and the general way vulnerability reporting works is very vulnerable to this kind of abuse. It would be nice if there was a better way to handle it, but as Troy points out we're currently limited to networking. That's pretty far from ideal.