> What are they going to do, tweet that you have an inadequate SPF record?
Heh, well, given that I run an e-mail hardening platform, our customers rely on our consulting on how to (amongst other techniques) set an adequate SPF record. So, in my specific case, this would actually be bad publicity.
But what I meant was that for serious security issues, white hat hackers often do a writeup, as part of the public incident report. These often contain timelines. If it contains "contacted security@company.com, but got no response", this will make you look bad. This is what I meant with the reputation risk.
I guess my point is that it's only a risk if they're finding real vulnerabilities, and if that's what they're doing, our sympathies should be recalibrated. (Obviously, I think it's most likely that they're not finding real bugs).
That's not what's happening. If you're missing real bounty reports because you can't pick them apart from bogus SPF-type reports, that's on you. We've all had something like 10 years of experience fielding bounty reports and the one unmistakable dominant theme of everyone's experience with them is that almost all of the rando inbound reports are junk. Every competent security@ practice handles them just fine.
It's annoying, but frankly what can you really expect? Bounties are spec work. I think spec work is fine, and that designers are mostly wrong about pushing back on it (it's a norm in all sorts of professions) but I'm sure as hell not going to get up on a high horse about the quality of my spec submissions. If I want to cultivate an expectation of high-quality reports, I retain consultants, or run a Google-style program with nosebleed-high payouts for sev:med bugs.
The people we're talking about are spraying and praying for $50 bounties. They're not getting in the way of anyone's RCE report.
The researchers who get no response from valid bugs are running into vendors who run bad software security practices. That's not the fault of low-skilled amateur researchers.
Why not have a specific web form on your contact page that says "report a bug" that takes 1) contact email, 2) example compromised data (if any), 3) steps to reproduce, and 4) description of the bug.
A contact page that has a form to be filled out with an auto response stating that there is no bounties paid out, but all bug reports are read.
Any downsides? Full disclosure, I have not maintained the code on a website or server before.
You need to answer arbitrary, informal emails to `security@` no matter what. You can't impose a protocol on top of that. Serious security researchers can reasonably blow off coordination with you if you get fussy with it.
Heh, well, given that I run an e-mail hardening platform, our customers rely on our consulting on how to (amongst other techniques) set an adequate SPF record. So, in my specific case, this would actually be bad publicity.
But what I meant was that for serious security issues, white hat hackers often do a writeup, as part of the public incident report. These often contain timelines. If it contains "contacted security@company.com, but got no response", this will make you look bad. This is what I meant with the reputation risk.