1. The first is literally the first example of the article: real/important vulnerability disclosures get confused with beg bounties which dont need to be acted on / are not serious (most of the time). That can cause real harm.
2. The second reason is the approach that the beg bounty uses: that of fearmongering. If the beg-bountier disclosed the vuln and asked for the bounty that would be ok, but withholding the vuln until payment is assured is a scam.
3. How can one even properly valuate how much the vuln should be worth without knowing what it is / capable of doing?
I have a hard time sympathizing with this. Our project gets a handful of these "beg bounty" things a year; usually they're repeats -- SPF and "clickjacking" are common ones, but we also get other ones. ("You're exposing people's usernames through this weird JSON thing!" "Yes, we're also exposing people's usernames in the 'by' line of the post itself. There's nothing in that JSON that's not also available by just doing plain web scraping."). If we see a new complaint we always look at it to see if it's something we actually care about.
If you're working with pictures and audio of kids, or have details of people's activities that they may not want made public (like their taste in "Adult Fanfic"), there's absolutely no excuse for not looking at each report, even if 95% of them are low-value.
EDIT: I mean of course the "Report and then ask for a bounty" kinds, not the "Give me the bounty and I'll tell you the bug" kinds.
My suggested approach is to not engage.
Things that are _technically_ security issues, but not something that affect us or are exploitable in a meaningful way. $50 a few times a year is stupid cheap to build a reputation of actually paying out security researchers.
Among the junk, we've had a few legit bounties submitted. That alone is worth the noise these "beg bounties" create.
----
Security is a never ending game of cat and mouse. If you can pay out a small amount to people who might, just might, catch something all of your other processes miss, it's a pretty easy decision.
It also helps that we have very clear rules and defined scope: we've put out of scope the usual suspects and researchers rarely argue when we point out they should have read the rules better before submitting.
Regarding bounties, my yardstick rule is that if a report made us reconsider our practices and change something on our side, then it's worth a bounty, even small. If not, then no bounty far ya, simple as that.
Also, I don't remember getting a disclosure report where they would ask for money before disclosing the vulnerability, I don't think it's that common. Still, this would go straight to the spam folder.
It’s one thing to go begging, it’s another when they feel entitled to some sort of payout. I never asked for their “services” - and in my limited experience, they lash out at you too, when you explain you’re not paying.
By the time it started showing up in 1980s comedy films, it was mostly gone in real life. I am surprised to see an Ozzie referring to this. Or is he referring to something tlese?
I also think that is perfectly fine to document the process in public so that everyone is informed.
Also, in regards to your comment on meaningful payouts, you could make the same argument for spam email. Occasionally it works for people in developing countries is, in my opinion, a terrible argument for allowing such behavior.
I think the point GP was raising isn't that it's ok, but that it's part of a wider problem and isn't just happening because people are stupid. It makes sense for them because of how the world economy is currently set up. Saying "hey will you just stop please" won't change that fact. Exactly the same thing is true for spam.
Most of them live fairly miserable lives of poverty.
That doesn't excuse them, but I don't feel it does me any good, to pile further misery on them, when it's just easier to walk away.
If you want to help them, why not just send them $$?
Usually the goal is to keep them away from real victims, to prevent further misery of more people.
You are advocating for feeding the troll. The troll will not be satisfied with table scraps. Larger trolls will see the opportunity and scale up.
I get what you’re saying. I don’t have a solution to the inequality you point out. But rewarding the bad behavior doesn’t help rectify the inequality, it just makes more bad behavior.
They didn't listen to me and I found that offensive, so I used the flaw to get access, and leave a message on their FTP server. I didn't destroy nor steal any data. They responded by reporting the incident to the police.
What jurisdiction? I would think this was just trespass.
Missouri's governor threatened legal action against a reporter who found SSN were being leaked on a public web page accessible simply by clicking "View Source". The reporter "followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teacher’s private information for nefarious purposes" .
This pisses me off on so many different levels. The reporter told proper authorities and gave them time to fix it before he made the information public but MO's jack-wagon of a governor tried to pin blame on the reporter.
[1] https://www.theverge.com/2021/10/14/22726866/missouri-govern...
You don't even need to be destructive to become a target for prosecution sometimes. Being stupid or incautious is enough.
[1] https://blog.haschek.at/2015-that-not-so-awesome-time-the-po...
Apart from that they just logged the incident and there was no follow-up.
Of course you should also do the white hat part in anonymized fashion.
Every single time. They don't really care about users, their safety and privacy. They care about legal liability and not looking foolish in public. It seriously makes me wish people would just publish vulnerabilities straight up complete with exploit source code so they'd have literally no choice but to care.
It seems far more likely that they didn’t understand the email from Troy or dismissed it as spam or a scam.
They took notice because a bunch of their regulars started getting emails from HIBP. Some of these did understand, and brought the issue to the attention of the admins admins in a way they understood.
That's what happens when there are too many who "cry wolf"; and bug-bounty programs just incentivise that behaviour.
If anything, my conclusion is that security researchers shouldn’t have any qualms about releasing vuln info. By all means, give the concerned party an opportunity to act in good faith, but when they invariably don’t, send it..
if you're doing un-asked-for work, you can't expect to get paid
Say you find a genuine issue. You can document it and send it to them. You might suggest an appropriate amount, but you've given them something to evaluate. Chances are you get nothing, but there is still other value in the exercise.
You can also add this to your portfolio. Once you have a few of these apply for jobs at security firms. They can judge your skill level to see if you're worth adding to the team.
You can also determine if this is a whole class of problem. Publishing the issue (without naming the company involved) raises your profile. You can leverage that profile into paid work down the road.
Of course you should understand all this before you "do the work" in the first place. If you're gonna do random drive-by work you should understand your goals. Given that the parent did not disclose, presumably there was some other motivation in play.
There's no problem with that. Anyone who does report anything is doing them a favor. Which they often repay with lawsuits.
I agree. The OP comes across a bit gatekeepy to me. Not everyone has made a big name for themselves yet.
How are you supposed to find customers in the first place? Gotta start somewhere.
Quality of the findings is orthogonal to asking for compensation.
There will always be people asking for money without providing value. But I don’t think we should throw the baby out with the bath water because of it.
Hard, hard disagree. I'm glad this "beg bounty" behavior has a name for it, because it's so f'ing obnoxious, and so common, and all it really does is make it that much harder when a serious researcher does need to report a real vulnerability.
Let's not pretend there is some sort of gray line between what responsible disclosure looks like, and what bullshit beg bounty disclosure looks like - after all, Hunt does an excellent job showing the difference. He showed an email he wrote that identifies where he's from, and gives clear verifiable evidence of a serious breach. That is night-and-day different from the "I found something naughty on your website, will you pay me??" example from the beg bountier.
Point being, if you are a serious researcher and you have actually found a high-value vulnerability, there are proper ways to message that even when you feel compensation is warranted. These beg bounties never look like that because they all have the same achilles heel: the "vulnerability" is such an eye roller that they can't actually give evidence of it before asking for money precisely because they know it's so low value.
This is a terrible take. Orthogonal to having a reputation, sure. Orthogonal to having a particular certification or credential, absolutely. But quality is absolutely non-negotiable. If your work is bad and nobody asked you to do it then you’re not a professional, you’re a charity.
The piece is gatekeeping in the same way the spam filters we all use are gatekeeping. There's always stuff we want to keep on the far side of our filters. Beg bounties are among them for many.
https://www.ftc.gov/news-events/news/press-releases/2012/12/...
But this idea that people 'did actually already do the "work" for free' so don't deserve remuneration… isn't great.
Lot's of people do spec work to try and get paid, or to get more work. The recipient is free to negotiate, rebuff or simply ignore it, but this idea that time sunk is valueless is unhelpful.
Not defending "Hammad" here. If you do spec security work you need to lead with what you've got, even if that's just a rough CVE severity rating, and your price. But I think I'd rather have people checking my configuration and taxing me for my errors than not to know at all.
1. Imagine a painter on the street, who made a quick painting of youand your partner in your natural state while being unaware of the process. Then he comes and asks if you are willing to pay and get it to yourself. No, you don't have the right to get it for free only because it was already painted.
2. Imagine that while you are on your walk, a guy comes to you and informs you that your bag was open and some stuff may have disappeared (dropped and/or stolen) from it. He went out of his way to detour and catch up to you (he had to run!) to report the issue. It was voluntary, but it is a good behavior. In physical world that alone should be rewarded (at least with sincere thanks). But if you are not willing to compensate, he has no duty to go spend even more of his time and energy in order to walk back, show you all the places where your stuff dropped and to stay and document all the details for your police/insurance application. He already did you a favor and is not required to put any more effort into it for free. It would be nice, but not a duty; especially because we are not talking about the private person or a hobby project, but about a company business. Discovering vulnerability is one thing, but properly writing and documenting it is a totally another expenditure of time, energy and opportunity cost. It is not free.
But you shouldn't expect to get the result for free.
1. "I can download archives of your public mailing list from your website!"
2. "I can download tarsnap source code from your website!"
3. "I can telnet to port 25 on your mail server and send you an email!"
I have the misfortune of being an early offerer of bug bounties -- and being unusual in offering bounties for all bugs, not just security bugs -- which means that Tarsnap shows up pretty quickly when bounty beggars start looking for targets.
yeah man, i know that. i made it public.
i eventually had to take it down, just to stop the flood of beg bounties telling me about it.
So much "yes I know it's supposed to be that way".
But it was fun because we were young, the "attackers" were our friends, and there weren't billions of dollars on the line.
I’ll definitely keep a link to this for next time this happens.
The annoying case is when you have them correctly configured but are using ~all instead of -all so you still need to deal with the beg bounties.
Reports on lack of SPF/DMARC records on security headers can be annoying, and often false, because there are some legitimate cases an SPF record with `~all` is necessary, or you have to have a permissive CSP for whatever reason.
I would have just deleted their email and moved on.
These bury any legitimate reports. We have missed a legit one because of the sheer amount of beggers at some point. Luckilty the person on the other end contacted us again and was understanding that we missed it.
And there are some who do not disclose and act like there is a really critical issue, fishing for replies first and then dropping a pile of shit as a critical security issue.
I'm also fed up with these.
> It was _immediately_ clear that Hammad was going to beg for a bounty, but it was a quiet Saturday night here and I thought it would be entertaining to see just how far down the rabbit hole he wanted to go. So, I responded, positively:
I suppose most of these useless bounty reports are quite easy to tell.
From the comment above:
> 20 mails each day
If you receive 20 mails a day to your security email address, then, perhaps it's time to setup a proper bug bounty program? They will weed out low impact vulnerabilities and only elevate the reports above a certain threshold. Isn't this a solved problem already?
---
I help run a bug bounty program, we get a lot of submissions. Way too many of them are zero or low effort. The SPF meme one definitely resonates with me, we get it a whole lot.
Occasionally we will get someone who submits a half dozen variations of the same zero/low-effort report. When we turn around and deny them all (because there's no actual exploitable issue). There's a good chance they will then spend the next week replying to our emails asking for money because they put a lot of effort into it, and/or disputing our evaluation.
It's frustrating dealing with that, and I can certainly sympathise with wanting to reply to someone who's begging you for money with a "no, go away".
Perhaps Troy just needed to blow off some steam, but I think he'd be better having a saved reply in his email saying he doesn't pay bug bounties for personal projects/sites, and just send that.
I think it'd go over better than having what seems to be an overly aggressive post.
I have been making money through bug bounties for the past 5 years (I'm a researcher on the major bug bounty sites and multiple private ones).
More times than I can count, I have found major, non-low effort bugs, and the company will spend time deflecting, and I just won't end up getting paid. Luckily, this is less than 10% of the valid bugs I've found. I've learned to just move on after a certain point.
This behavior from these companies nearly made me quit 2 years ago. I was so frustrated that I completely stopped for 6 months.
I found 50 bugs in a week for one major company and they spend 2 months trying to tell me that they don't own the site anymore, and weren't going to pay me. It was in scope at the time I found the bugs. These weren't just minor bugs either. It allowed me to break into all private rooms on the service in multiple ways, get access to back-end network settings, and even takeover accounts.
I pushed back and they were in violation of their SLA. I got a nice payout a few weeks later.
Keep in mind the bugs I found allows a lower-privileged group to not only access, but updated privileged information and other sections in the account with no user interaction. Definitely a security issue (multiple, in fact).
This is why security issues never get fixed and people like me stop looking. I suspect they will fix it and are again trying to find ways not to pay me.
This is very sleezy behavior and way worse than the guy he criticized did.
You've described 90% of our cybersecurity department.
Want to be a developer? It’s dead simple. You can just install node.js and pull in a bunch of random dependencies.
I agree with everything in this post except this line. It's nice that the author doesn't need the money, but some people do. To me, the problem is not sharing after the answer is no, or not asking up front, not the fact someone is asking for money.
If you’re only trying to collect bounties, you should go to a bug bounty website and work on sites that are explicitly soliciting bounties - that way you aren’t wasting your time finding vulnerabilities on sites that have no interest in paying out, and you can see which types of vulnerabilities are in- and out of scope.
On the other hand, I don’t think it’s particularly rude to shoot an email over explaining the vulnerability while at the same time requesting compensation. But gating information on the vulnerability behind a request for compensation is not appropriate.
Found a XSS vulnerability on a very popular danish website and 0 contact since reporting. The vulnerability still exists and even found a few less severe bugs
From: whiteboxtesting01@gmail.com
> Waiting for your response and hoping for a bounty reward for responsibly disclosing this issue to your website. Furthermore, I may attempt to contact you again if I do not receive a response to ensure that my message has reached you.
Most of the time, the company sent an angry response with threats of calling the police. I always thought this was stupid.
I would never look for security vulnerabilities on a company site, unless I'm hired to do so. The main issue is that you have no idea if what you are doing will affect a production sites.
"If you put an email on a website, you will get spam"