Nearly ten years ago, when bug bounties went mainstream with the launch of Bugcrowd and HackerOne, thousands flocked to these services to make a few bucks. The problem is that to make any real money you need well-honed skills. The low hanging fruit has already been picked. Additionally, organizations sophisticated enough to launch a bug bounty program are unlikely to be duped by spurious claims.
Organizations with a program simply filter out such reports and point submitters to the program/policy explaining why these types of reports don’t qualify for payment. Those without programs, however, are likely unprepared to deal with these “security advisories.” They may overestimate the severity of the risk reported and can find it harder to explain that they don’t pay for bug reports at all, let alone something of low severity.
Enter the beginning of the “beg bounty”. I wrote about this a few weeks ago, and it seems to have struck a chord with some of our readers. Security engineers reached out with their own experiences, and I learned of a couple more examples fielded by the security team at Sophos. The concept of begging for a reward for innocuous or meaningless reports appears to be reaching fever pitch.
Target anyone, try anything
This growth appears to be fueled by the same thing driving so many other fads on the internet, social media influence. There is a whole cadre of people on social media who are sharing their experiences of making money through legitimate programs as bug bounty hunters. This has led to a large number of people interested in making money this way for themselves.
A few of these bounty hunters have built up a reasonably large following and are using that fame to launch training and penetration testing services. To make the most of their following, they often suggest their followers get started by finding and submitting anything and everything that might possibly get a recipient to pay. They suggest that it is quantity not quality that will set you off down the path to vulnerability riches.
Search bots and ciphers
One of the more ridiculous submissions I’ve seen came through last week. This person seems to think that having a robots.txt file, to tell search bots what you don’t want indexed on search engines, is a vulnerability. This is really scraping the bottom of the barrel…
Another ‘beggar’ recently targeted a large media company in France. Based on the correspondence, it is unlikely they understood who the targeted company was, but they started the conversation by proclaiming they had found that the target’s website was vulnerable to “weak ciphers.”
They included a screenshot and link to a stock report from Qualys SSL Labs. While the ciphers are in fact weak, none have been factored and it is a stretch to consider this a vulnerability per se.
The message was sent from a Gmail account and ends hopefully: “Regards. Found More bugs on your website reply me so that i may disclose them further.” (sp)
In a follow up message, they go on to say: “We have found more bugs/vulnerability in your website. Kindly clarify if there is any payout if we disclose them to you?”
The recipient replied thanking the reporter and explaining that they can’t release payments to individuals, only to companies and then only if the bug deserves compensation.
The reporter replied back asking for money directly at that point: “We understand but my team worked very hard to find these bugs in your website. We have found more. If you can pay us small token of appreciation 100-150$ we will submit all of our reports.”
After explaining again that they only pay companies, the reporter points the IT person to a website, which is mostly cut and pasted text from Wikipedia in a basic CMS. The company does not appear to be a legitimate registered company.
Again, the IT representative explains that he needs a company invoice and gives them the street address to submit the invoice to for payment consideration. The hunter responds a few days later asking for a two-day subscription to their publication (?).
Funnily, it appears that Google had suspended the reporter’s account right after they contacted the person at the victim company. When the reporter contacts the organization again, they use another Gmail account with the number on the end incremented by two.
Also note that the person reporting the weak TLS ciphers on this company’s website doesn’t use encryption at all on their “company” website.
Before I was even able to finish looking into this person, another person sent a message to the same company offering to “draw your attention to some of the vulnerabilities in your site.” I see where this is leading and I suspect the outcome will only be more wasted time.
Don’t feed the trolls, don’t encourage begging, and it’s always DNS. That may be the three IT maxims to live by in 2021.