1. The first is literally the first example of the article: real/important vulnerability disclosures get confused with beg bounties which dont need to be acted on / are not serious (most of the time). That can cause real harm.
2. The second reason is the approach that the beg bounty uses: that of fearmongering. If the beg-bountier disclosed the vuln and asked for the bounty that would be ok, but withholding the vuln until payment is assured is a scam.
3. How can one even properly valuate how much the vuln should be worth without knowing what it is / capable of doing?
> 1. The first is literally the first example of the article: real/important vulnerability disclosures get confused with beg bounties which dont need to be acted on / are not serious (most of the time). That can cause real harm.
I have a hard time sympathizing with this. Our project gets a handful of these "beg bounty" things a year; usually they're repeats -- SPF and "clickjacking" are common ones, but we also get other ones. ("You're exposing people's usernames through this weird JSON thing!" "Yes, we're also exposing people's usernames in the 'by' line of the post itself. There's nothing in that JSON that's not also available by just doing plain web scraping."). If we see a new complaint we always look at it to see if it's something we actually care about.
If you're working with pictures and audio of kids, or have details of people's activities that they may not want made public (like their taste in "Adult Fanfic"), there's absolutely no excuse for not looking at each report, even if 95% of them are low-value.
EDIT: I mean of course the "Report and then ask for a bounty" kinds, not the "Give me the bounty and I'll tell you the bug" kinds.
At my previous job it was about 10 per days after we started having an official process. I gather that people would just Google us.
It was very easy to filter the bad reports, though. About 10 minutes of work per day, since most were repeated issues. We had a default "reply" email with information.
The issue however was those people would get extremely angry when their security issue was deemed invalid, so we started just blocking recipients that would threat us or demand payment for invalid issues. Some would stalk me and other developers in LinkedIn and would demand immediate payment. Of course that only happened about 4 times.
Another issue was caused when some invalid issues would get SO MANY REPORTS from automated scanners, that we would actually decide to change to prevent the reports. In some of those we actually paid and credited the first person, but then the other 30 would demand payment too and accuse us of lying.
Complaining about the phenomenon isn't doing anything about any of these 3 issues. There is a powerful economic incentive driving it, and lot of independent actors. Really all we're doing here is driving up our own blood pressure. People who operate serious bounty programs have been dealing with this effectively for over a decade.
1. The first is literally the first example of the article: real/important vulnerability disclosures get confused with beg bounties which dont need to be acted on / are not serious (most of the time). That can cause real harm.
2. The second reason is the approach that the beg bounty uses: that of fearmongering. If the beg-bountier disclosed the vuln and asked for the bounty that would be ok, but withholding the vuln until payment is assured is a scam.
3. How can one even properly valuate how much the vuln should be worth without knowing what it is / capable of doing?
reply