TL;DR
Why Should I Care? Unauthorized security testing is often driven by personal motives and can result in the reporting of vulnerabilities for personal gain.
What Should I Consider? Security reports need to be considered for their repuation, intent and associated risks.
Introduction
Recently I was asked about how to approach a security vulnerability report that was unexpected and with little information via email. This lead me down a bit of a research path finding something called “Beg Bounties”.
Note: I want to ensure before going into beg bounties: Legitemate security reports do occur and there is great value in them and vulneraiblity discolosure programs. This is mostly talking about reports that are unexpected and non-novel.
Beg Bounties
Beg Bounties occur where “security researchers” opt into testing applications in the wild without authority for some sort of gain. The intent can be anything from recognition all the way to financial gain. The following quote captures the essence of beg bounties:
Beg bounty queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand.
This situation raises concerns for businesses moving into the territory of potential extorsion. Generally speaking in cases where extortion were to occur the demand becomes very apparent, where the reporter may even threaten to expose sensitive information.
The Vulnerability
The reality is there more than likely is a vulnerability on the system if security testing such as vulnerability scanning and regular penetration tests are not conducted. Greater value is likely to come from implementing basic security testing than remediating the single reported issue.
Most security reports are going to come from someone you’ve never heard of even if they have a solid reputation. With this considered, there may well be a novel application specific vulnerability identified by the reporter or something genuinely unique. This shifts us into exploring the “security researcher’s” reputation, possible intent and risk. Google searching is the best place to start to understand the reporters reputation. If you’re able to identify the reporter this may be a good sign that it is a genuine report. Although, if you’re unable to identify a solid reputation through basic searches the reporters reputation is likely low and may be risky to engage further.
The intent of the report will often come down to considering the content of the report and the reporters reputation. Are they trying to enhance their resume? Are they genuinely reporting a issue? Are they wanting to build a business brand? etc.
References
A lot of inspiration come from Troy Hunt’s post on Beg Bounties where he goes into greater detail: https://www.troyhunt.com/beg-bounties/