HACKER Q&A
📣 peerthrow

Got an email from someone expecting a bug bounty. What to do?


"I am an independent security researcher and I have found a bug in your website"

Bug = I didn't have DMARC set up for outgoing email verification.

I ignored their email, set up email monitoring. I knew I didn't have SPF verification set up, but had put it off.

A few weeks then nothing.

Then they emailed and said:

"Kindly update me regarding the issue and I am expecting a bug bounty from you for sending this bug ethically to you."

I ignored it.

A few more weeks later then I saw a bunch of spoofed emails sent from the domain in the email report.

I then setup DMARC for forensic reports.

Then a week or so later / now, they emailed and said:

"Alot of websites have rewarded me for letting them know about this bug because this is an impactful bug. It will be justifiable if you reward me in any way either a cash reward, amazon gift voucher or a swag as a token of appreciation. Also, i've found more critical bugs too so if you're willing to make your website safer you won't take this matter lightly."

What should I do?

It kinda seems like they're trying to threaten me.

If I give them a $10 or $25 Amazon gift card will this all go away or will they ask for more things? I'd be happy to give them something if it's small and they won't contact me again. But I don't want to open a can of worms and have them contact me again and again. I also don't want to ignore them and have them do something sketchy.

Anyone dealt with something similar?

  👤 LinuxBender Accepted Answer ✓
There is a lot of this. I am not a lawyer but unless you have a bug bounty program with specific terms and they signed up for it agreed to your terms you do not owe anyone anything. Never reward threatening and abusive people with gifts as that marks you as an easy target. Same with communication, do not reply to them. Rewarding them will only encourage more of it, no different than ransomware.

Create rules to put their emails into a folder that gets archived and never deleted in case you need it as evidence later should they escalate their malevolent behavior. If it escalates into extortion and fraud causing financial harm then federal agents will need the emails fully intact.

All of that said there no harm in fixing things that people bring up.

👤 kjs3
Yeah...that's a straight up threat and this is a shakedown attempt. We (a large financial) get one of these an hour probably; I don't think we even track them.

There's no one right way to respond. Many options invite retaliation. Loosers like this guy count on you being afraid of that. But security research is a reputation business, and damaging their reputation can be effective. Collect and keep every interaction. Consider that 'responsible disclosure' works both ways. But ignoring it is probably best.

Of course...take the time to make sure there aren't any real, low hanging fruit security issues in your site, and take time to set up monitoring so you catch unknown issues quickly. You know...things that you should do anyway.

👤 Nextgrid
If they see the lack of DMARC as a serious issue worthy of a bug bounty I wouldn't expect them to be competent enough to find any more critical bugs.
👤 tastysandwich
I think it's common as we (a fairly small company) got a similar email. Exact same thing, "No DMARC Record found". Almost certainly automated. We just ignored them. We don't have a bug bounty program and this isn't the Red Cross.

The missing DMARC record was on a domain we don't really use anyway.

👤 KomoD
That's a beg bounty, ignore it.

See: https://www.troyhunt.com/beg-bounties/

👤 throwawaysalome
So it's come to this. Programmers are the new squeegee guys.
👤 orbz
This is a pretty common thing. I and several other founders I’ve talked to have gotten the same thing, so I would assume it’s automated.

It’s unlikely they will do anything sketchy.

👤 nnurmanov
Interesting. This could be a new trend. You never asked, but we still delivered:)