How to deal with bug bounty hunters

Question

I operate a one-man SaaS. I have a dozen or so customers, and make enough money to cover costs but I&rsquo;m years away from being able to live off it.Every few weeks I get an email that goes something like this:Hi, I&rsquo;m an ethical hacker and I found some security vulnerabilities in your site. Attached is proof.I expect a reward for this information, can you let me know how much you will pay, or should I share this exploit online?&mdash;&mdash;&mdash; Now, none of the issues are very serious, nobody has been able to access data they shouldn&rsquo;t have, they&rsquo;re usually small things about header, XSS etc, but nevertheless valid.I can&rsquo;t really afford to pay them, and buy I also don&rsquo;t want to suffer reputation loss.At the same time, I don&rsquo;t k ow that it&rsquo;s realistic to have zero security recommendations as pretty much any project I&rsquo;ve ever seen has some&hellip; although it&rsquo;s a worthy target.Any recommendations on how to deal with this?1. Ignore them? 2. Pay them? 3. Thank them and ask them to move onI usually fix the problem and to (3), but it&rsquo;s concerning behaviour that seems to be increasing in frequency.

new_guy · Accepted Answer

If this is happening more than once then it sounds like your codebase is total shit (no offence)Hire an external auditor and have your code checked properly, because it's only a matter of time before someone finds the 'big one' and that they won't tell you about.

edoceo · Answer

Did you setup the security.txt file? If not, add one.
You could also explain your financial circumstances (not too much detail) and offer a small amount.
IME many of these inquiry are happy to get a few bucks - and the feather for the cap.
Also, a code audit would be in order.

yuppie_scum · Answer

If they are giving you the milk, don&rsquo;t buy the cow. Fix and move on. Someday you can hire a SecOps team or vendor.

How to deal with bug bounty hunters

If this is happening more than once then it sounds like your codebase is total shit (no offence)
Hire an external auditor and have your code checked properly, because it's only a matter of time before someone finds the 'big one' and that they won't tell you about.

Did you setup the security.txt file? If not, add one.
You could also explain your financial circumstances (not too much detail) and offer a small amount.
IME many of these inquiry are happy to get a few bucks - and the feather for the cap.
Also, a code audit would be in order.

If they are giving you the milk, don’t buy the cow. Fix and move on. Someday you can hire a SecOps team or vendor.

How to deal with bug bounty hunters

If this is happening more than once then it sounds like your codebase is total shit (no offence)Hire an external auditor and have your code checked properly, because it's only a matter of time before someone finds the 'big one' and that they won't tell you about.

Did you setup the security.txt file? If not, add one.You could also explain your financial circumstances (not too much detail) and offer a small amount.IME many of these inquiry are happy to get a few bucks - and the feather for the cap.Also, a code audit would be in order.

If they are giving you the milk, don’t buy the cow. Fix and move on. Someday you can hire a SecOps team or vendor.

If this is happening more than once then it sounds like your codebase is total shit (no offence)
Hire an external auditor and have your code checked properly, because it's only a matter of time before someone finds the 'big one' and that they won't tell you about.

Did you setup the security.txt file? If not, add one.
You could also explain your financial circumstances (not too much detail) and offer a small amount.
IME many of these inquiry are happy to get a few bucks - and the feather for the cap.
Also, a code audit would be in order.