Fresh Thoughts #127: Bug Bounties and Beg Bounties
- Newsletter
"I've found a vulnerability in a service I use...
Now what?
If I report it...
Will they say I'm a hacker?
Will they report me to the police?
Who do I report it to?
It's best if I don't say anything.
But... if I don't, then others can access my data.
It's best if I no longer use the service...
But they're the best at what they do..."
This is the dilemma that faced many security professionals in the early 2010s.
Vulnerabilities were common.
But the methods of reporting them were fraught with complexity and accusation.
The idea of responsible disclosure - informing the vendor first - was an ideal practice.
However, the details of how to achieve this were far from standardised.
Vendors could choose not to respond.
Or take so long to respond that a hacker would publish the vulnerability without responsible disclosure and steal all the attention.
Formed in 2012 - HackerOne - started to solve this problem.
Providing a standard set of policies and expectations.
Vendors were encouraged to create a "Bug Bounty" programme.
Which outlined the services that could be tested and the cash bounties a security researcher could expect for finding a vulnerability.
Security researchers had a framework for their reports.
They would not be reported to the police, would be assured of a response, and would be rewarded for their efforts.
An ideal situation for all involved.
Extortion Bounties
Unfortunately, some have seen the reporting vulnerabilities or compliance breaches as an opportunity to make money.
Shortly after GDPR came into force in 2018, small businesses started receiving ominous letters.
The letters asserted that the companies had violated GDPR because they did not have a cookie policy or an appropriate cookie consent mechanism.
The letters claimed to be from a senior GDPR and IT consultant who had visited the recipient's website and required a payment of £500 - £1,000 for loss of control of personal data and the distress caused.
Looking at the details of the situation - often the recipients had violated GDPR - as a cookie policy and appropriate consent mechanism were required.
However, the problem should have been reported to the Information Commissioner's Office (ICO).
The fear surrounding the formation of the ICO and their ability to fine companies enabled this scam.
When an industry group in the travel sector highlighted this type of demand in 2021, they found that over 180 businesses had paid the "bounty" in the previous five months to avoid being reported to the ICO.
Beg Bounties
Over time, the threat of an ICO fine has reduced, and a third type of bounty has emerged: a "beg bounty".
Various forms of beg bounties exist, and all involve an unsolicited email reporting a "vulnerability" in a website or email configuration.
These vulnerabilities are often minor variances in best practices but come with an expectation of being paid for the reporter's time.
A current, common scam relates to DMARC - a security protocol that helps prevent spoofing of emails - along with SPF and DKIM.
A configuration that uses a "~all" (soft fail) rather than a "-all" (hard fail) is enough to receive a payment request.
Implementing DMARC is undoubtedly a security best practice, and at Fresh Security, we strongly encourage customers to use the protocol.
However - like all cybersecurity - implementing it is a business decision.
The exact implementation depends on whether you are a bulk email sender and whether or not you use any legacy IT systems.
This nuanced, business-first view of security is lost on people sending beg bounties.
I agree with Sophos' description of beg bounties as "scaremongering for profit".
Final Thoughts
Bug bounties are a valuable process in cybersecurity.
They offer a pre-agreed way of exchanging vulnerability information and being compensated for the effort.
Unfortunately, their use has given rise to demands for payment for the most minor of issues.
Extortion bounties and beg bounties use seeds of truth - as they report misconfigurations - compared to cybersecurity best practices.
However, the reported vulnerabilities are often insignificant and fit within a larger scheme of cybersecurity risk management.
I have yet to find a cybersecurity professional who has deemed a beg bounty worth the proposed fee.
July 16, 20244 Minutes Read
