Site icon Sophos News

Beware of technical “experts” bombarding you with bug reports

We’re all appalled at scammers who take advantage of people’s fears to sell them products they don’t need, or worse still products that don’t exist and never arrive.

Worst of all, perhaps, are the scammers who offer products and services that do exactly the opposite of what they claim – making their victims pay up simply to make them even easier to defraud in future.

Well-known cyberexamples of this sort of fraud include:

Beware “beg bounties”

Well, there’s a new kid on the technoscammology block: bogus bug reports!

Sophos researcher Chester Wisniewski has dubbed these “beg bounties”, because they’re unsolicited messages that are begging for your attention, and we suggest that you read his excellent writeup to find out what these beggars are up to:

You probably know that many companies these days have a way for bug hunters – some of whom make their living from figuring out out security holes in corporate websites and software – to report problems they’ve found, and potentially to get paid for their work.

As haphazard as this sounds, bug bounty programmes usually follow a well-structured format, and professional bug hunters work carefully within well-defined limits while they’re probing for holes.

The idea of so-called responsible disclosure policies (you can find bug submission instructions for Sophos on our main website) is that they give bug bounty hunters a realistic amount of freedom to explore for holes without getting prosecuted for illegal hacking.

At the same time, bug bounty programmes typically have sufficiently well-defined boundaries that they don’t offer a casual “get out of jail free” excuse that could be abused by criminals whose intention is not to help fix problems but to find and exploit them.

For example, if you want to go bug hunting on behalf of Sophos, you have to agree, amongst other things:

Note that the idea of bug hunting is not simply to show that you can break things if you want, like a street vandal who has figured out that you can smash up a bus shelter with a baseball bat, but to find and document real-world flaws with sufficiently scientific rigour that they can be traced down and fixed.

The professional bug hunting community, therefore, has become a largely self-regulating group.

If you don’t have the right level of expertise, you’ll find it hard to come up with work of sufficient quality to to make your evidence repeatable and reliable; if you don’t have the right level of morality, you’ll find it hard to play fair enough to qualify for the bounty anyway, and difficult to get accepted by the commnunity.

Baffle them with technobabble

Chester’s so-called “beg bounty hunters” don’t care about any of this, because their modus operandi goes something like this:

The examples in Chester’s article give you a good idea of the nebulous way that these bluffers operate.

Some of these chancers, to be scrupulously fair, may genuinely consider themselves to be bug hunters with sufficient skills to help you secure your network better, and may not actually be charlatans or criminals operating with malice aforethought.

One of the sample “beg bounties” that Chester dissected, for example (we’ve received one of these ourselves), tells you that you have a security hole in your website, but backs up the claim with some copied-and-pasted waffle about a security technology that applies to email servers.

So the most generous interpretation of this “beg bounty” report is that the sender is technically incompetent almost without limit, and ought not to be allowed near your network to do cybersecurity work.

Other beg bounty chancers, it’s fair to say, are unreconstructed scaremongers who are trying it on without going quite as far as saying “pay up or else”, which would be blackmail.

Clearly, they’re not the sort of people you could trust near your network, either.

What to do?

Here’s Chester’s advice:

After all, if there is any truth in an alleged security hole that a self-proclaimed bounty hunter reported to you, a trustworthy security and penetration testing company should find it and help you to fix it properly.

But if the alleged vulnerability is made-up garbage, a trustworthy cybersecurity partner will figure that out too, and stop you wasting money on a ‘precaution’ that does nothing except to give you a false sense of security.


Exit mobile version