Why would it be? Say you film your kid's birthday party and put it up on youtube. You just leaked voice recordings of a lot of other children. What's the harm supposed to be?
Feel like recording intimate moments like that should just about be a crime at this point. Sick of every dicknose with an iPhone trying to "remember" a group dinner
Face recognition. In terms of govt scale intelligence, and increasingly just plain OSINT. Not everyone is as tight with their pictures as you are, they probably auto upload them on Google Photos or Dropbox or something. You are now irreversibly linked to everyone else in that photo who probably has social media profiles, public contact emails, show up on people search websites etc. I don't want to cause problems for you just because someone wants to blackmail me. I also don't want you to tell people where I live because someone broke into your house and is removing your toenails with a pair of pliers.
Subjective opinion time, I just think it's lame. I don't sit back and reminisce over pictures. I don't want to be in your group picture. I want to hang out with the people in the group and have a laugh.
As of 2013, COPPA specifically defines recordings of a child's voice as a type of "personal information" about the child; as a result, operators of online services "directed at children" are required to get parental consent to collect that information, and are required to protect it appropriately.
what are kids voicing that should result in the firing of thousands or even tens of thousands of adults because a corporation got dissolved? Seems a bit overboard
I run a domain for our community association. I had an “ethical hacker” discover that I had neglected to set up spf records for that domain. I had to deal with him sending a bunch of nasty emails to our other board members after I refused to pay him for his “discovery”. (Actually I offered him a cut of my salary as a board member, which at $0, came out to be… less than he was hoping for)
I’ll definitely keep a link to this for next time this happens.
Yeah, I'm honestly surprised the organization is able to email anyone else. Even 8-10 years ago, I would have expected the major providers to drop email sent from a host without some or all of those elements configured.
I guess I wonder about the opposite side of this. While I hate the beg bounty people as well, I don't think security researchers should work for free. I have found several security vulnerabilities that I have never reported to the company because their security policy was basically "send us everything you found for free and we won't give you any credit".
> I don't think security researchers should work for free
I agree. The OP comes across a bit gatekeepy to me. Not everyone has made a big name for themselves yet.
How are you supposed to find customers in the first place? Gotta start somewhere.
Quality of the findings is orthogonal to asking for compensation.
There will always be people asking for money without providing value. But I don’t think we should throw the baby out with the bath water because of it.
Hard, hard disagree. I'm glad this "beg bounty" behavior has a name for it, because it's so f'ing obnoxious, and so common, and all it really does is make it that much harder when a serious researcher does need to report a real vulnerability.
Let's not pretend there is some sort of gray line between what responsible disclosure looks like, and what bullshit beg bounty disclosure looks like - after all, Hunt does an excellent job showing the difference. He showed an email he wrote that identifies where he's from, and gives clear verifiable evidence of a serious breach. That is night-and-day different from the "I found something naughty on your website, will you pay me??" example from the beg bountier.
Point being, if you are a serious researcher and you have actually found a high-value vulnerability, there are proper ways to message that even when you feel compensation is warranted. These beg bounties never look like that because they all have the same achilles heel: the "vulnerability" is such an eye roller that they can't actually give evidence of it before asking for money precisely because they know it's so low value.
This behavior never rose above "mildly annoying". There are a lot of people out there who will check your website for the issues that they know how to find and fire off a form report letting you know.
They are really, really, easy to deal with. There are two major relevant strategies:
- Many programs put it explicitly in their bounty policy that they won't consider the output of an automated tool. This automatically blocks the lowest-effort submissions.
- All programs specify in their policy what they consider a vulnerability and what they don't. "SPF configuration" is a common exclusion.
So if you get a low-value report, it takes maybe one minute to respond with a pointer to the part of your policy that explains why you won't even bother considering the report. If flyby reports are a major issue for you - publish a policy!
(As a third consideration, for me personally, these reports were especially easy to handle because you'd see the same guy filing more or less identical reports to several programs, and after the first time, you'd already have a good understanding of exactly what the report was saying.)
The people filing these reports are doing valuable work. Some programs really do care about some of the issues they find. Most programs don't care about most of the issues - but you can hardly blame the researcher for finding out whether the issue they already have in their hand might be worth something.
When I saw the headline, I thought of a different phenomenon that bothered me more. Many researchers are very ...anxious... about the status of their reports. I saw one guy, apparently from Egypt, who regularly found real vulnerabilities in a major website and earned thousands of dollars a month in bounties. If a report came in from him, it got taken seriously.
But he was constantly asking for status updates and commitments on when a report might get paid out. This was unpleasant to deal with. On the other hand, I did also see a handful of reports fall through the cracks and go untouched for months at a time, so again it's hard to blame the guy too much.
There are thousands of established bug bounty programs on the web. Ones in which companies actually solicit these messages. The reason these beg bounty hunters are sending unsolicited emails instead is because these programs explicitly descope all these stupid and irrelevant findings. If you want to establish your bonafides, this is a terrible way to go about it, especially given the legitimate alternatives.
> Quality of the findings is orthogonal to asking for compensation
This is a terrible take. Orthogonal to having a reputation, sure. Orthogonal to having a particular certification or credential, absolutely. But quality is absolutely non-negotiable. If your work is bad and nobody asked you to do it then you’re not a professional, you’re a charity.
The issue here is that these people aren't providing value. Further, engaging with them as serious and sincere costs in time and energy. That's expensive when there's no payoff. From my own experiences, beg bounties reliably do not have findings of a useful quality and the begging approach is a very strong signal that the juice will not be worth the squeeze.
The piece is gatekeeping in the same way the spam filters we all use are gatekeeping. There's always stuff we want to keep on the far side of our filters. Beg bounties are among them for many.
I agree. But there are advantages to be gained beyond mere payment. Assuming the work is somewhat more that just "I fed your name into ssllabs")
Say you find a genuine issue. You can document it and send it to them. You might suggest an appropriate amount, but you've given them something to evaluate. Chances are you get nothing, but there is still other value in the exercise.
You can also add this to your portfolio. Once you have a few of these apply for jobs at security firms. They can judge your skill level to see if you're worth adding to the team.
You can also determine if this is a whole class of problem. Publishing the issue (without naming the company involved) raises your profile. You can leverage that profile into paid work down the road.
Of course you should understand all this before you "do the work" in the first place. If you're gonna do random drive-by work you should understand your goals. Given that the parent did not disclose, presumably there was some other motivation in play.
I get a lot of these but I have to admit I have a few favourites:
1. "I can download archives of your public mailing list from your website!"
2. "I can download tarsnap source code from your website!"
3. "I can telnet to port 25 on your mail server and send you an email!"
I have the misfortune of being an early offerer of bug bounties -- and being unusual in offering bounties for all bugs, not just security bugs -- which means that Tarsnap shows up pretty quickly when bounty beggars start looking for targets.
Oh yeah... I don't run a docker registry, but Amazon feels it necessary to remind me periodically that FreeBSD releases are public AMIs, and their filesystem images are public, and I have publicly readable data in S3 (which is mandatory in order to create an AWS Marketplace listing).
So much "yes I know it's supposed to be that way".
It’s so bizarre that every time I upload something to S3 I have to jump through a hoop to make it publicly readable and Amazon displays a massive warning sign.
Like the only thing I use S3 for is hosting open source software binaries. Maybe there’s a use case for restricting access, but I don’t even know what that would be.
S3 is just a general storage bucket, anything you could use a hard disk for, some app is using S3 for that instead. It's particularly common in serverless app backend architectures where no permanent storage exists at all, so volumes are not an option.
A good deal of hosting is done on ephemeral VM instances that get rebuilt, so you choose between volumes and S3, and S3 is a bit more flexible.
Many applications use s3 as a data store for... Whatever. Uploaded or generated files, intermediate outputs, as a key-value store for large blobs.
You can put all sorts of things on s3. The PDF containing your bank statement, your medical test results, whatever - S3 is plenty secure enough for that with sane configuration, and even by default with sane account management.
A fair chunk of modern corporate data ends up in OLAP systems that are now more often or not stored using s3 (or their MS/Google equivalents) in 'Data Lakes'. The concept of 'private data' whilst using cloud providers is an interesting one, but there has been enough work done by all parties involved to ensure that all but the most sensitive data is now created, stored and analysed using the systems provided by "Big Cloud".
You really need to think carefully about whether you want to expose an S3 bucket publicly. There are probably some valid reasons out there, but if you're not an AWS expert, it's likely that you're making a mistake. If I find out the name of your bucket I could cost you thousands of dollars of egress tonight before you wake up in the morning. It's _especially_ likely to happen to hosters of open source binaries because of people absent-mindedly downloading artifacts from CI jobs. No malice required. They make the mistake but you pay the bill.
Public S3 buckets are not a good choice for that because of the "anyone could bankrupt you" reason above. That is generally NOT the use case for S3, and it's the reason why private is the default and there are alerts for public buckets. For public access, within AWS, you'd want to put CloudFront in front of the bucket and only allow external users to access CloudFront. However, there's a better option...
Outside of AWS, Cloudflare has a service called R2 which is just like S3, except you DON'T pay egress! It's the same thing, but without the "anyone could bankrupt you" aspect. You pay for the storage but you don't pay per download. I highly recommend this for hosting open source binaries. You can still keep a copy in a private S3 bucket for safe keeping if you don't trust Cloudflare long-term.
Meanwhile I've got a penetration test costing tens of thousands of dollars in front of me and your third finding is in there pretty much word for word.
> Alas, all reasonable measures were exhausted without response, I loaded the data into Have I Been Pwned (HIBP) and then they took notice
Every single time. They don't really care about users, their safety and privacy. They care about legal liability and not looking foolish in public. It seriously makes me wish people would just publish vulnerabilities straight up complete with exploit source code so they'd have literally no choice but to care.
Covering up legit vulnerabilities is dangerous - it is a criminal offense. And no “my manager doesn’t like it” is not an effective defense (see uber ciso case)
That is a sign that you work at a deeply unhealthy company. Even at a moderately healthy company it's usual to have "Don't shoot the messenger" policies in place to avoid blaming developers for doing their job.
After which publication they usually reassure their users that security is their utmost priority, fix the one leak, and go back to doing nothing till the next breach.
I’m not sure the BronxWench cares strongly about what people on the Internet think of her.
It seems far more likely that they didn’t understand the email from Troy or dismissed it as spam or a scam.
They took notice because a bunch of their regulars started getting emails from HIBP. Some of these did understand, and brought the issue to the attention of the admins admins in a way they understood.
I think the principle of charity dictates that we should at least give them an opportunity to do the right thing. Not that this makes it any less frustrating when people take advantage.
I mean, the whole purpose of legal liability is to make them care. Isn’t this just the system working as intended?
If anything, my conclusion is that security researchers shouldn’t have any qualms about releasing vuln info. By all means, give the concerned party an opportunity to act in good faith, but when they invariably don’t, send it..
I don't really understand the point of making a big stink about Beg Bounty Hunters. They're invariably people in developing countries, for whom occasional SPF or Clickjacking payouts will be meaningful. And there's an unbounded supply of them. They're not going away. All you can control is the way you respond to them; lashing out at them in public seems like a pretty unhealthy response. Not for them; who cares? There's going to be 20 more right behind them. But I mean, just for your own sense of well-being.
What an uncharitable and uncalled for accusation. Dude's twitter is him living his life and posting it. No one is asking you to follow him or read his stuff. He's rich and posts about some of it. Who cares. I've never seen him pretend to be a celebrity and the accusation of giving merch for harassing others sounds like an outright lie. I've been following him for years and have seen no such thing
Meaningful or not, some companies and organizations don't understand the difference between a CVSS score of 2.0 and 10.0. Being in the cybersecurity industry myself, there is a wide gap of knowledge in the risk of vulnerabilities. Following a some-what standard way of reporting vulnerabilities is well documented. Begging for a bounty is not standard.
I also think that is perfectly fine to document the process in public so that everyone is informed.
Also, in regards to your comment on meaningful payouts, you could make the same argument for spam email. Occasionally it works for people in developing countries is, in my opinion, a terrible argument for allowing such behavior.
> Occasionally it works for people in developing countries is, in my opinion, a terrible argument for allowing such behavior.
I think the point GP was raising isn't that it's ok, but that it's part of a wider problem and isn't just happening because people are stupid. It makes sense for them because of how the world economy is currently set up. Saying "hey will you just stop please" won't change that fact. Exactly the same thing is true for spam.
“But I already washed your window while sitting at the stop light”
It’s one thing to go begging, it’s another when they feel entitled to some sort of payout. I never asked for their “services” - and in my limited experience, they lash out at you too, when you explain you’re not paying.
My parents lived in New York City during the early 1970s, a time of serious decay. The "free" car window washers was a thing. You would stop in traffic (Manhattan) usually, then someone would start to clean your front window with a dirty squeegee, then come to your driver side window and ask for a tip (payment).
By the time it started showing up in 1980s comedy films, it was mostly gone in real life. I am surprised to see an Ozzie referring to this. Or is he referring to something tlese?
He's referring to car window washers at traffic lights.
Maybe in Australia which has had them at various location in capital cities in the 80s, 90s, 10s by my recall. Maybe in other countries as while Troy is Australian he's moved about a bit ... but probably Sydney - it's one of those modern clean yet dirty cities with a bit of everything.
EDIT: The quote doesn't come from Troy, it's sourced from a twitter reply he received from "John" @j3g
I simply said “thank you for the report but I’m not paying”. The “researcher” responded by spamming the rest of the board and the property manager for the community with hundreds of messages filled with expletives.
I didn’t write a blog or do anything to “trigger” anyone. Heck the only reason I replied is because they kept emailing the other non tech people in an attempt to extort money out of them.
I don’t find their behavior excusable and have no problem calling them out.
We've had a handful of these that we've paid out for small issues over the years.
Things that are _technically_ security issues, but not something that affect us or are exploitable in a meaningful way. $50 a few times a year is stupid cheap to build a reputation of actually paying out security researchers.
Among the junk, we've had a few legit bounties submitted. That alone is worth the noise these "beg bounties" create.
----
Security is a never ending game of cat and mouse. If you can pay out a small amount to people who might, just might, catch something all of your other processes miss, it's a pretty easy decision.
None. We don't pay if the bounty isn't verifiable. This is the standard for the industry.
This is part of the reason paying out small bounties is valuable and important. You want to build a reputation in the community for honoring your responsible disclosure policy.
I run a bug bounty program and I don't mind report for small issues. It's true that most report from "beg bounty" hunters are noise, but we've acted on some reports a few time. One time, in particular, a researcher broke something which alerted us to a serious issue, while not understanding themselves what they had found, we still paid a fair bounty on the finding since we would not have found the issue without the action of the researcher.
It also helps that we have very clear rules and defined scope: we've put out of scope the usual suspects and researchers rarely argue when we point out they should have read the rules better before submitting.
Regarding bounties, my yardstick rule is that if a report made us reconsider our practices and change something on our side, then it's worth a bounty, even small. If not, then no bounty far ya, simple as that.
Also, I don't remember getting a disclosure report where they would ask for money before disclosing the vulnerability, I don't think it's that common. Still, this would go straight to the spam folder.
In my experience paying out once to a bug hunter resulted in an avalanche of useless "beg hunter" reports in the following weeks. Understandably security researchers brag about their finds on their resume but that has the side effect that other guys apparently crawl those and start targeting you.
I'm not saying this is good or bad, but just a warning that you should be prepared to read a lot more reports once you start paying.
1. The first is literally the first example of the article: real/important vulnerability disclosures get confused with beg bounties which dont need to be acted on / are not serious (most of the time). That can cause real harm.
2. The second reason is the approach that the beg bounty uses: that of fearmongering. If the beg-bountier disclosed the vuln and asked for the bounty that would be ok, but withholding the vuln until payment is assured is a scam.
3. How can one even properly valuate how much the vuln should be worth without knowing what it is / capable of doing?
> 1. The first is literally the first example of the article: real/important vulnerability disclosures get confused with beg bounties which dont need to be acted on / are not serious (most of the time). That can cause real harm.
I have a hard time sympathizing with this. Our project gets a handful of these "beg bounty" things a year; usually they're repeats -- SPF and "clickjacking" are common ones, but we also get other ones. ("You're exposing people's usernames through this weird JSON thing!" "Yes, we're also exposing people's usernames in the 'by' line of the post itself. There's nothing in that JSON that's not also available by just doing plain web scraping."). If we see a new complaint we always look at it to see if it's something we actually care about.
If you're working with pictures and audio of kids, or have details of people's activities that they may not want made public (like their taste in "Adult Fanfic"), there's absolutely no excuse for not looking at each report, even if 95% of them are low-value.
EDIT: I mean of course the "Report and then ask for a bounty" kinds, not the "Give me the bounty and I'll tell you the bug" kinds.
At my previous job it was about 10 per days after we started having an official process. I gather that people would just Google us.
It was very easy to filter the bad reports, though. About 10 minutes of work per day, since most were repeated issues. We had a default "reply" email with information.
The issue however was those people would get extremely angry when their security issue was deemed invalid, so we started just blocking recipients that would threat us or demand payment for invalid issues. Some would stalk me and other developers in LinkedIn and would demand immediate payment. Of course that only happened about 4 times.
Another issue was caused when some invalid issues would get SO MANY REPORTS from automated scanners, that we would actually decide to change to prevent the reports. In some of those we actually paid and credited the first person, but then the other 30 would demand payment too and accuse us of lying.
Complaining about the phenomenon isn't doing anything about any of these 3 issues. There is a powerful economic incentive driving it, and lot of independent actors. Really all we're doing here is driving up our own blood pressure. People who operate serious bounty programs have been dealing with this effectively for over a decade.
Not tolerated but it should be understood. Lots of developers would do morally dubious things for a 'life-changing' amount of money. If you live in a very poor country that isn't a large sum compared to a Western salary.
You don't have the option of tolerating or not tolerating it. You're seeing one of these people, but there are a thousand more behind them, and they don't care what you tolerate or don't; it's a numbers game to them.
I've received those mails a few times and while I agree with you to some extent, the way they are often formulated feels closer to "nice store you have here, shame if something were to happen to it!" -- as in, what is this person going to do if I don't pay up? That does not seem ethical to me.
The problem is that they do have real consequences for others. It is a kind of zero sum game where their gains come from the loss of others. I have no sympathy for them.
If you want to help them, why not just send them $$?
Another thought on this, coming from someone whose phone number has ended up on some large number of scammer lists, to the point where I would have about 1000 scam calls per month around open enrollment time (think targeting seniors):
You are advocating for feeding the troll. The troll will not be satisfied with table scraps. Larger trolls will see the opportunity and scale up.
I get what you’re saying. I don’t have a solution to the inequality you point out. But rewarding the bad behavior doesn’t help rectify the inequality, it just makes more bad behavior.
I love the term, it's appropriate. In my experience many of these beg bounties are automated and non-sensical. Script kiddies looking for a quick and easy buck. Generally when they are directed to an actual bug bounty program on HackerOne or the like they don't follow through.
e: I just noticed, this post was from 2 years ago. It should have (2021) in the header.
---
I help run a bug bounty program, we get a lot of submissions. Way too many of them are zero or low effort. The SPF meme one definitely resonates with me, we get it a whole lot.
Occasionally we will get someone who submits a half dozen variations of the same zero/low-effort report. When we turn around and deny them all (because there's no actual exploitable issue). There's a good chance they will then spend the next week replying to our emails asking for money because they put a lot of effort into it, and/or disputing our evaluation.
It's frustrating dealing with that, and I can certainly sympathise with wanting to reply to someone who's begging you for money with a "no, go away".
Perhaps Troy just needed to blow off some steam, but I think he'd be better having a saved reply in his email saying he doesn't pay bug bounties for personal projects/sites, and just send that.
I think it'd go over better than having what seems to be an overly aggressive post.
I have been making money through bug bounties for the past 5 years (I'm a researcher on the major bug bounty sites and multiple private ones).
More times than I can count, I have found major, non-low effort bugs, and the company will spend time deflecting, and I just won't end up getting paid. Luckily, this is less than 10% of the valid bugs I've found. I've learned to just move on after a certain point.
This behavior from these companies nearly made me quit 2 years ago. I was so frustrated that I completely stopped for 6 months.
I found 50 bugs in a week for one major company and they spend 2 months trying to tell me that they don't own the site anymore, and weren't going to pay me. It was in scope at the time I found the bugs. These weren't just minor bugs either. It allowed me to break into all private rooms on the service in multiple ways, get access to back-end network settings, and even takeover accounts.
I pushed back and they were in violation of their SLA. I got a nice payout a few weeks later.
To add to this (because I can no longer edit my post). An excuse I saw just last week is that although I found vulnerabilities, the company doesn't believe it's a security issue and have no interest in fixing it, so the reports will be closed as informative.
Keep in mind the bugs I found allows a lower-privileged group to not only access, but updated privileged information and other sections in the account with no user interaction. Definitely a security issue (multiple, in fact).
This is why security issues never get fixed and people like me stop looking. I suspect they will fix it and are again trying to find ways not to pay me.
> I don't know how many disclosures I've done ... (100+, surely), but I have never, ever - not even once - asked for money. But Hammad isn't me
I agree with everything in this post except this line. It's nice that the author doesn't need the money, but some people do. To me, the problem is not sharing after the answer is no, or not asking up front, not the fact someone is asking for money.
I don’t think asking for money is the issue- it’s the overall handling of the situation on the researcher’s side.
If you’re only trying to collect bounties, you should go to a bug bounty website and work on sites that are explicitly soliciting bounties - that way you aren’t wasting your time finding vulnerabilities on sites that have no interest in paying out, and you can see which types of vulnerabilities are in- and out of scope.
On the other hand, I don’t think it’s particularly rude to shoot an email over explaining the vulnerability while at the same time requesting compensation. But gating information on the vulnerability behind a request for compensation is not appropriate.
I remember when I was a teenager I found a huge security flaw in a website: they allowed to include any PHP file passed as a query string parameter, and that file could be a remote one too.
They didn't listen to me and I found that offensive, so I used the flaw to get access, and leave a message on their FTP server. I didn't destroy nor steal any data. They responded by reporting the incident to the police.
No criticism because teenagers do dumb things, but for anyone else it should be assumed that if you break into a system without permission, benignly or not, you run the risk of getting prosecuted for it.
I vaguely recall this case. I sure hope police have become more cyber literate in the past 10 years, but yeah this is the virtual equivalent of leaving fingerprints on the crime scene.
After reading your story, the image at the bottom stands out. I never thought about the fact that you can’t really trust that what is returned to you is the same as what they took. No telling if they added any malware to those drives intentionally or not.
Threat of prosecution can come even without breaking in. Vengeful and ignorant people will always be a thing. [1]
Missouri's governor threatened legal action against a reporter who found SSN were being leaked on a public web page accessible simply by clicking "View Source". The reporter "followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teacher’s private information for nefarious purposes" .
This pisses me off on so many different levels. The reporter told proper authorities and gave them time to fix it before he made the information public but MO's jack-wagon of a governor tried to pin blame on the reporter.
Threat of prosecution is of course always present, but the chance of that prosecution making it past the courts is significantly altered by actually committing the acts you might be accused of.
It's the danger of good intents but still breaking the law. If a house is unlocked and you go in to prove it's unlocked, maybe leave a helpful note, you're still breaking in. Report and move on.
IIRC some jurisdictions consider any force at all - such as pushing an already-open door further open - to be sufficient to make it B&E rather than simply trespassing.
> Breaking and entering is defined as breaking into a place with intent to commit another indictable offence
England & Wales
> A person is guilty of burglary if they enter any building or part of a building as a trespasser with intent to steal, inflict grievous bodily harm or do unlawful damage to the building or anything in it.
New Zealand
> burglary is a statute offence under section 231 of the Crimes Act 1961. Originally this was a codification of the common law offence, though from October 2004 the break element was removed from the definition and entry into the building (or ship), or a part of it, now only needed to be unauthorised.
I can understand land, but isn't entering an actual building/home/garage without permission a crime even if it was unlocked? it seems like it should be, but my view is tainted by US law which is overly complicated and varies state to state about severity, but I'm pretty sure it's against the law in every state.
AFAIK, trespassing per-se is usually not a crime in England. It is typically considered civil matter. It gets more complicated I think if you get told to leave and resist. And of course trespassing with intent to steal is a crime.
yeah, usually you get a forceful entry charge in addition. You can't just walk into someone's house even if their door is ajar or unlocked. I'm not sure if cracking it and say asking "is anyone here?", My guess it involves actually stepping into the house, for example you're worried about a neighbor if his door is standing open
Stepping on someone's land marked as "no trespassing" is one thing (and a big thing) in the USA, just walking into someone's house, is B&E if the person wants the yokels to press charges and you didn't have permission. I assume the same is true for cybercrime, especially if you're using the system in a way it wasn't meant to be, especially if it causes damage of some sort.
Throwaway account for obvious reasons. I've been employed as a triager on two primary bug bounty platforms for over seven years. The circumstances are distressing and carry tangible real-life consequences. I'm open to answering questions within my personal comfort zone.
I get that Troy is probably tired of receiving beg bounties, but as a security researcher himself, I find this post a bit distasteful and discouraging towards the people who could as well be on their way to finding bigger vulnerabilities.
Reports on lack of SPF/DMARC records on security headers can be annoying, and often false, because there are some legitimate cases an SPF record with `~all` is necessary, or you have to have a permissive CSP for whatever reason.
I would have just deleted their email and moved on.
You receive 20 mails each day and when you delete them you receive follow ups. You receive emails getting angry and the tone shifts to threats (as if the bug they are reporting warrants it).
These bury any legitimate reports. We have missed a legit one because of the sheer amount of beggers at some point. Luckilty the person on the other end contacted us again and was understanding that we missed it.
And there are some who do not disclose and act like there is a really critical issue, fishing for replies first and then dropping a pile of shit as a critical security issue.
> It was _immediately_ clear that Hammad was going to beg for a bounty, but it was a quiet Saturday night here and I thought it would be entertaining to see just how far down the rabbit hole he wanted to go. So, I responded, positively:
I suppose most of these useless bounty reports are quite easy to tell.
From the comment above:
> 20 mails each day
If you receive 20 mails a day to your security email address, then, perhaps it's time to setup a proper bug bounty program? They will weed out low impact vulnerabilities and only elevate the reports above a certain threshold. Isn't this a solved problem already?
From what I've seen secondhand, a bug bounty programme can actually increase the overhead vs. an email address, because now someone has to log in and deal with each ticket instead of ignoring emails that don't seem interesting.
There are some significant advantages to having a bug bounty programme, but they still attract a lot of noise. I know of at least one software company that has an entire team just to triage the queue. Not fix anything, just validate whether a report ia reproducible or not and if so, route it to the responsible party.
I participate in a couple programs, and when I report something, they have a team at the bug reporting service take a look first before escalating them to the actual security contact. Only issues that are in-scoope and severe enough get escalated. The company can even mark certain programs as invitee-only or for researchers above a certain threshold.
Many programs already have rules saying they will not consider DNS/header related issues.
I understand the problem, beggars add noise to an important contact signal point…
But this idea that people 'did actually already do the "work" for free' so don't deserve remuneration… isn't great.
Lot's of people do spec work to try and get paid, or to get more work. The recipient is free to negotiate, rebuff or simply ignore it, but this idea that time sunk is valueless is unhelpful.
Not defending "Hammad" here. If you do spec security work you need to lead with what you've got, even if that's just a rough CVE severity rating, and your price. But I think I'd rather have people checking my configuration and taxing me for my errors than not to know at all.
This makes no sense. Imagine someone shows up at your house, paints the fence and then asks you for compensation. They already did the work, but you never even asked for it. The same thing is happening here.
1. Imagine a painter on the street, who made a quick painting of youand your partner in your natural state while being unaware of the process. Then he comes and asks if you are willing to pay and get it to yourself. No, you don't have the right to get it for free only because it was already painted.
2. Imagine that while you are on your walk, a guy comes to you and informs you that your bag was open and some stuff may have disappeared (dropped and/or stolen) from it. He went out of his way to detour and catch up to you (he had to run!) to report the issue. It was voluntary, but it is a good behavior. In physical world that alone should be rewarded (at least with sincere thanks). But if you are not willing to compensate, he has no duty to go spend even more of his time and energy in order to walk back, show you all the places where your stuff dropped and to stay and document all the details for your police/insurance application. He already did you a favor and is not required to put any more effort into it for free. It would be nice, but not a duty; especially because we are not talking about the private person or a hobby project, but about a company business. Discovering vulnerability is one thing, but properly writing and documenting it is a totally another expenditure of time, energy and opportunity cost. It is not free.
lol this actually happened to me. I came home with a note on my door and fixed gutter. Turns out they were supposed to fix someone's a few houses down but saw my house (first on the street). I was going to fix it myself. I called them to let them know I never scheduled anything and ask what was up. We figured it out and I gave them 1/2 of what they would have normally charged after I verified with that neighbor what they were saying was true. It was very reasonable even at full price. I wouldn't have had to pay them a dime, but they saved me some work and time and I sent them a check anyway.
A bit off topic: I am genuinely surprised that he gets to blog (regular and micro via Twitter/X) with such a savage style. In many mega corps, even tech, they would eventually curtail this type of blogging. Steve Yegge is a pretty famous example where even Google was trying to curtail his blogging topics and style.
In his email signature he writes that he is a "Microsoft Regional Director". Even thought that is formally correct, in practice it is highly misleading, because it alludes that he works for Microsoft at the highest C/Director level, while in reality he is a mere advisor and this is a vanity title he got.
This is very sleezy behavior and way worse than the guy he criticized did.
I'm Troy Hunt, an Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. I don't work for Microsoft, but they're kind enough to recognise my community contributions by way of their award programs which I've been a part of since 2011.
2. He doesn't explain it at all in his email. This is akin to writing a misleading news title and say that you are innocent because people should not be gullible and believe everything on the Internet, and should do their own research.
3. He purposefully chooses to use that bad title, even though nobody forced him. It was his personal choice to mislead people.
But it was Troy's decision to use that misleading title. Nobody forced to him to use it in such a misleading way in his email signature no less! He had so many options he could have written, but hr specifically chose the misleading one.
After reading this HN post in the morning, I've received one of those SPF ~all beg bounties via email today. It ends with:
From: whiteboxtesting01@gmail.com
> Waiting for your response and hoping for a bounty reward for responsibly disclosing this issue to your website. Furthermore, I may attempt to contact you again if I do not receive a response to ensure that my message has reached you.
> Want to be a bounty beggar? It's dead simple, you just use tools like Qualys' SSL Labs, dmarcian or Scott Helme's Security Headers, among others. Easy point and shoot magic and you don't need to have any idea whatsoever what you're doing
You've described 90% of our cybersecurity department.
Reading the accompanying cloudpets article is very similar to my experience with reporting exploits.
Found a XSS vulnerability on a very popular danish website and 0 contact since reporting. The vulnerability still exists and even found a few less severe bugs
I know someone that would find security holes in random company sites and email them about it. They never asked for money.
Most of the time, the company sent an angry response with threats of calling the police. I always thought this was stupid.
I would never look for security vulnerabilities on a company site, unless I'm hired to do so. The main issue is that you have no idea if what you are doing will affect a production sites.
Why is most of the substance of this post giant block quote links to his own Twitter? Clicking through to those is painful; it’s not like the author can’t afford to host some screenshots on his own domain.
reply