Yesterday, for the Nth time, a client had a “security researcher”send an email about a “high-impact” security vulnerability. I’vecrafted this response a few times so I figured I would blog about it.

Email from a Security Researcher

So here’s the email:

Hi <name>,

I'm <"researcher" name>, a penetration tester, and I have found a high-impact security vulnerability in the <company name> web app.

How can I report the issue details? Also, I'm inquiring if you reward reporting valid vulnerabilities.

Thanks, <"researcher" name>

Digression About Vulnerability Disclosure Programs

In general, I’m a fan of having a vulnerability disclosure program.Fundamentally, a disclosure program has to outline rules ofengagement for reporting a vulnerability and a timeline forexpecting a response. It might or might not involve a reward.The program should include some sort of scope.

This is positive, because often folks that are interested withsoftware tinker with it (hack it) and find things that areimportant. Before disclosure programs and bug bounties, therewas a lot of hostility to “hackers” who reported these kindsof issues - and so sometimes those issues would get soldinto the zero day market. A disclosure program presents acompany’s positive attitude toward researchers reportingissues and gives a framework for it to happen in a trustworthyway.

I’m also a fan of bug bounty programs, which are similar butgenerally imply that there is a reward for a reported vulnerability,a more explicit scope and a sense of what types of vulns may ormay not be reported. Bug Bounty programs are often intermediatedby firms like BugCrowd or HackerOne.

I have met a bunch of folks that are very active in this particularsecurity community, and I’ve run bounty programs at large companies.There are a lot of great people here.

As others have stated previously more eloquently than I will,there are times and places to start a bounty program.

The TLDR; of which seems to be: bugbounties are great when you’ve got basic hygiene figured outand you have a way to handle an ongoing volume of reports.

Otherwise, you might just get inundated with information youdon’t know how to deal with and only very little of which isrealistically important to your security.

The Gory Detail

The truth is, these types of emails are common and often aresult of someone opportunistically scanning for issuesand hoping to make a little money.

They frequently identify issues such as missingX-Frame-Options HTTP headers or similar. Often, theyare actually low or even informational severity, contraryto what the researcher’s email says.

Now, if the person is a legit security researcher lettingyou know about a problem, you want to thank them and givethem a way to share what they know and ideally give themsomething in return. A researcher might accept recognitionor swag. In the long run, we want to make these legitimateand commensurate with the value of the identified issue.I have seen researchers submit amazingly useful findings.

The problem is that most of these submissions, especiallywhen framed like the one above, are not significant securityfindings at all and they are being used to SPAM a largenumber of companies with the hope that some will pay.

I have also seen “researchers” turn into extortionistswho publicly complain about the way a company handles aminor problem in order to get attention and a reward.

To respond effectively, we want to engage the earnestresearcher while shutting down the discussion with theextortionist.

I recommend responding with something like this emailtemplate:

Hi there,

Thank you for reaching out. We do not currently have a vulnerability disclosure program, reward program or bug bounty in place.

That being said, we have folks on the team that have been involved in those types of programs and know how to run them and it is something we may do in the future.

If you would like to report the issue to this security@ email, we will track it in good faith and consider providing some kind of award or recognition if we can.

At the same time, having run these programs in the past, we also know that there are a lot of folks out there who run scanners and submit the results to try to claim rewards. Those types of findings aren’t the type of issues that our program can reward.

We certainly appreciate the security community and understand the value of a mutually positive model for interaction. We’re committed to engaging with integrity.

We look forward to hearing from you.

Thank you,
Security

Of course, you have to actually engage with integrity andtrack the issue. If you do start a program, you shouldreward the researchers that reported real findings. Youalso have to communicate with researchers and fix issues.