devnull.land

Miscellaneous bits and bobs from the tech world

Wannabe "Security Researchers" are the worst part about running a bug bounty

5/16/2022, 11:46:29 AM

Where I work, we run a bug bounty. We've done this for a number of years, and it's yielded great results in that bugs that could potentially affect user data are quickly and quietly dealt with at our own pace, and we retain control over the narrative (as opposed to having it disclosed publicly and dealing with the fallout.)

By far, however, the most annoying part of running the bug bounty program are the wannabe security researchers.

You know the kind;

  • The ones who run automated scanners against every website they can find
  • The ones who copy and paste technical jargon from websites in an attempt to feign legitimacy
  • The ones who assign a "high" priority to their reports via subject—just to get your attention
  • The ones who, when pressed for details, have no clue what they're talking about or even reporting
  • The ones who will never read the rules of your bug bounty
  • The ones who will ask you for money even if the report is invalid

It gets worse... occasionally, when you reject an invalid report outright, they have the gall to ask you for money anyway:

Thank you for your response.


i hope this type of hard effort deserves something

best regards.,

Thank you for your response. but you can give me 5$ this is my paypale email 

But sir bug is working so you can giving me a small appreciation sir

I've even had reporters reply back to a confirmed bug (with limited security implications), and ask for more money. In what kind of world is that acceptable?!

One time, I had a report come in for a vulnerability that was discovered by someone else. This reporter had read the write up, and proceeded to go around and try to shake down companies for money, even though he didn't do any of the actual research. That's what really gets my goat, is that almost all of these reports aren't even from the original discoverers. It's like a whole cottage industry sprang up just to go around and extract as much money as possible from businesses for having misconfigured "Powered By" headers on their servers.

I make the rules of my bug bounty easily accessible and simple to follow. There is a specific testing endpoint to report bugs against, and I can even make exceptions if you don't read any of the other rules except that main rule.

  • I've tried breaking the (one item long) list into its own section.
  • I've tried emphasizing the text.
  • I've tried bolding and making the text larger.
  • I've surrounded the line with emoji and moved it to the top of the rules.

None of it makes a lick of difference.

I don't want to be overly punitive in case I disincentivise the reporting of a legitimate security concern, but boy, does this get tiring.

The really confusing part is that in some cases, these "security researchers" think they are doing serious work. They will get offended if their report is rejected, and play up the severity of any potential implications.

In the end I think I will have to be exceedingly strict—a single warning followed by a ban.

Just for fun, I took a look our reports since January 2022, and manually collated the resolutions. Out of 43 reports:

  • 38 were invalid
  • 1 was a valid bug but had no security implications
  • 4 were valid and paid out accordingly.

P.S. Honestly, this has been the only annoyance with running my own bounty. Is it worth saving upwards of $10,000 USD/annum compared to going with a "Bug Bounty as a Service"? Good god yes..