Skip to content
Products and Services PRODUCTS & SERVICES

Beg bounty hunting – why do people do it, and how?

I recently wrote a Sophos News article on the whole phenomenon of “beg bounties” and invited organizations that had been affected to get in touch. Many did and some had amazing stories to tell. In this article I will explain what I learned about why people become beg bounty hunters and how they approach it. A further article will detail the experience of one particular target.

 

Nearly ten years ago, when bug bounties went mainstream with the launch of Bugcrowd and HackerOne, thousands flocked to these services to make a few bucks. The problem is that to make any real money you need well-honed skills. The low hanging fruit has already been picked. Additionally, organizations sophisticated enough to launch a bug bounty program are unlikely to be duped by spurious claims.

Organizations with a program simply filter out such reports and point submitters to the program/policy explaining why these types of reports don’t qualify for payment. Those without programs, however, are likely unprepared to deal with these “security advisories.” They may overestimate the severity of the risk reported and can find it harder to explain that they don’t pay for bug reports at all, let alone something of low severity.

Enter the beginning of the “beg bounty”. I wrote about this a few weeks ago, and it seems to have struck a chord with some of our readers. Security engineers reached out with their own experiences, and I learned of a couple more examples fielded by the security team at Sophos. The concept of begging for a reward for innocuous or meaningless reports appears to be reaching fever pitch.

Target anyone, try anything

This growth appears to be fueled by the same thing driving so many other fads on the internet, social media influence. There is a whole cadre of people on social media who are sharing their experiences of making money through legitimate programs as bug bounty hunters. This has led to a large number of people interested in making money this way for themselves.

A few of these bounty hunters have built up a reasonably large following and are using that fame to launch training and penetration testing services. To make the most of their following, they often suggest their followers get started by finding and submitting anything and everything that might possibly get a recipient to pay. They suggest that it is quantity not quality that will set you off down the path to vulnerability riches.

Search bots and ciphers

One of the more ridiculous submissions I’ve seen came through last week. This person seems to think that having a robots.txt file, to tell search bots what you don’t want indexed on search engines, is a vulnerability. This is really scraping the bottom of the barrel…

Another ‘beggar’ recently targeted a large media company in France. Based on the correspondence, it is unlikely they understood who the targeted company was, but they started the conversation by proclaiming they had found that the target’s website was vulnerable to “weak ciphers.”

They included a screenshot and link to a stock report from Qualys SSL Labs. While the ciphers are in fact weak, none have been factored and it is a stretch to consider this a vulnerability per se.

The message was sent from a Gmail account and ends hopefully: “Regards. Found More bugs on your website reply me so that i may disclose them further.” (sp)

In a follow up message, they go on to say: “We have found more bugs/vulnerability in your website. Kindly clarify if there is any payout if we disclose them to you?”

The recipient replied thanking the reporter and explaining that they can’t release payments to individuals, only to companies and then only if the bug deserves compensation.

The reporter replied back asking for money directly at that point: “We understand but my team worked very hard to find these bugs in your website. We have found more. If you can pay us small token of appreciation 100-150$ we will submit all of our reports.”

After explaining again that they only pay companies, the reporter points the IT person to a website, which is mostly cut and pasted text from Wikipedia in a basic CMS. The company does not appear to be a legitimate registered company.

Again, the IT representative explains that he needs a company invoice and gives them the street address to submit the invoice to for payment consideration. The hunter responds a few days later asking for a two-day subscription to their publication (?).

Funnily, it appears that Google had suspended the reporter’s account right after they contacted the person at the victim company.  When the reporter contacts the organization again, they use another Gmail account with the number on the end incremented by two.

Also note that the person reporting the weak TLS ciphers on this company’s website doesn’t use encryption at all on their “company” website.

Before I was even able to finish looking into this person, another person sent a message to the same company offering to “draw your attention to some of the vulnerabilities in your site.” I see where this is leading and I suspect the outcome will only be more wasted time.

Don’t feed the trolls, don’t encourage begging, and it’s always DNS. That may be the three IT maxims to live by in 2021.

 

 

4 Comments

I used the term “Beg bounty” to indicate someone seeking renumeration for a bug or security lapse they have found outside of a formal bug reward program. If an organization has no real “bug bounty” program, than it is not realistic that they want to receive reports, nor should they be expected to reward unsolicited reports, especially of the useless sort these stories shine light on. If the organization has a bug bounty program, but the reports are out of scope (which all of the ones highlighted would be in most sanctioned programs), similarly people should not expect a reward or bounty. These stories all demonstrate unsolicited out-of-scope reports, hence the use of the term “beg”. They are begging for something they have no entitlement to.

Reply

What are you experiences of Open Bug Bounty, Chester? They keep hounding a client of mine with vague reports of “security vulnerabilities”. We’re advised to “contact their security researcher directly” for further information. In all, this sounds like the hook for a scam to me. These emails always come from an @gmail address, which looks highly unprofessional.

Reply

I’m not a fan of encouraging people to test peoples online assets without permission. Open Bug Bounty seems to go out of its way to ensure this is done ethically and with no expectation from the security researcher, other than acknowledgement and hopefully fixing the problem.

The people using the platform are mostly not professionals, but amateurs looking for some swag, students using your site as a way to practice, etc. I would certainly contact the researchers and determine how legitimate these reports are. If they are more DMARC boilerplate than it is a waste of time for everyone involved. If they are pointing our genuine issues, you may find them useful.

Either way, the best way to avoid this situation is to make reporting issues to you directly easy and clear as to what you want/need/expect and will provide. If you don’t pay bounties, make that clear in your policy or “report an issue” page on your site.

For many, all they are looking for is some acknowledgement to boost their CV. Others may in fact be a scam. I put more credence in reports from Open Bug Bounty than random emails from researchers as noted in these articles, but only a smidge more.

Reply

Leave a Reply to Ian Pegg Cancel reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!