hi folks - I just got a cold email from someone calling themselves an 'ethical hacker' containing info on a minor vulnerability on my website. They're asking for a bug bounty which I don't offer anywhere but no actual $ amount.
Should I pay or is this step 1 in a well known scam which ends up with me waking up in an ice bath with memory loss and some crucial internal organs missing?
Here’s the email:
"Greetings, I am a professional freelance security researcher. I have taken the liberty of performing a cursory audit of your website's public security configuration and have discovered a vulnerability that I believe you would appreciate being made aware of. <Gives details of vulnerability>. Note: I’m hoping to receive a bounty reward for my current finding. I will be looking forward to hear from you on this and will be reporting other vulnerabilities accordingly."
Troy Hunt recently published a blog post about this exact thing, calling it "beg bounties".
Everyone will not agree with his take on this, but I think it's helpful to made aware of this and how prevalent it is and that the "issues" being reported may not be such a big problem as these guys make it sound.
Ah nice, I read Troy's blog but had not seen that article. It even specifically mentions ClickJacking which is the vulnerability that was reported to us.
We get at least one of these types of emails per week. Most of them are just people who run basic scripts on our website or standard DNS checks and are trying to report really minor things as 'potential vulnerabilities'.
99% of the reports are for our company blog which runs on Wordpress (I hate WP), and they just run standard WP exploit scripts and tell me about holes in the plugins we use. We don't really care if our blog goes down as it does very little in terms of our marketing activity. In fact, last month it was down because one of the plugins we use lost their domain so our entire blog was down for about 3 days, with no impact (But you can see why I hate WP).
So far, only one bounty hunter actually logged into our app and found a very minor issue in there which didn't really affect data but could have been a nuisance, but he was good enough to give us the report up front so we rewarded him with USD$100 for his effort.
Other than that, I consider most of these unsolicited 'reports' a nuisance, and in fact, I have set up an alert for when generic gmail accounts sign up for our SaaS (we are a BsB SaaS and almost all our users sign up from a company email address) so I can pick if they are just someone kicking around trying to find 'vulnerabilities'. Most of them are easy to spot because their email is something like '[email protected]' etc. I tend to disable those accounts pretty quickly.
Thanks Devan, that matches up with what we saw except the vulnerability was in our production web server so more of a concern for us than a blog.
I'm going to ask what other vulnerabilities he's found and their severity so I can scope out the potential reward amount.
Yes, looking at your other replies, it looks like this guy discovered an actual thing that might be a problem, but like you said, it could be something quite minor, so it is up to you whether you think it is a genuine issue that is worth some sort of reward.
For instance, nearly all the 'bug reports' we get now are people telling us our DKIM settings on our domain email is not tight enough, but we have to deliberately loosen them because we have third party providers like Stripe etc. sending emails from our domain for transactional emails. Those ones I just ignore.
I went through my email history since my reply to you and I can see now that over the past 5 years I have paid out to 3 separate bounty hunters who found something that I considered credible. Two of them got USD$50 and one got USD$100, and they seemed to be happy with that, so thankfully it doesn't look like these guys want to ransom your bank account but are happy enough with a token payment for their efforts.
Are you able (afford ) to have an audit done by a 3rd party who you trust and us recommended? Then you can be more prepared to answer this ethical hacker and be more inclined to pay them. Also, I wonder if there is someway to look up this guy's credibility? Does he have a legit company and is fishing (kind of awkwardly) for new clients?
Both good ideas thank you - re: his credibility - it looks a little shady as it's from a gmail address and has no company details. Although, given how even white hat hacking can end up in jail perhaps he's just being cautious. I'll ask him for some background info to see what he comes back with.
If it is a legit vulnerability and classified as low severity - send him some coffee and bun money. I would do it.
Also, take it as a small PR, write about it in your blog, if you happened to have one.
Oh yeah, fix that vulnerability ASAP :)
Yes fair call, it is a genuine piece of work and good to know about, so it's fair to reward it even though it's unsolicited.
Do the technical details of the vulnerability match your system? Are they credible?
Yes, it's credible, the vulnerability is indeed present: https://owasp.org/www-community/attacks/Clickjacking. It's classed as low severity apparently and doesn't sound like a huge concern.
The Apache logs picked up some automated vulnerability scanning which took place a week or so ago which I think is linked to this person(s). The scanning looked fairly generic (looking for Wordpress vulnerabilities and that sort of thing) but I can't be certain that there weren't other attack vectors and I don't know whether they were successful or not.
I'm in a similar situation.
A small non profit organization I'm on the board of was contacted by an ethical hacker mentioning a vulnerability in our online properties and asking whether some compensation was available. Although he mentioned a POC, he never delivered it, provided any technical details, or followed up. What we found unusual is he emailed from a Gmail address.
That's interesting, thanks for letting me know.
In this the POC is just three lines of HTML (an iFrame) which shows the login page can be embedded on another website so it was included.
And there's another one - a fellow indie hacker said they received a similar email giving the exact same vulnerability for his SAAS but with slightly different email wording and from a different gmail account. Our emails were received within 24 hours of each other!
We were contacted a month or so ago by a Muhammad K. self-describing as a "White Hat Hacker".