Ask HN: How do you deal with unsolicited bug bounty hunters?

14 points by cyberferret ↗ HN
I was emailed yesterday by someone out of the blue claiming to be a security researcher who 'found' a security flaw in our SaaS app.

I was highly skeptical, and asked for details on the severity of the bug, plus any past references and work history regarding his bug bounty work, but he refused to give me much information until after I agreed to pay him a minimum $250 bounty.

I refused to do so, but then I noticed on our 'God mode' dashboard that he created an account on our SaaS and then tried to upload an image with a malicious header as his avatar. Our system detected this, logged it an warned us, and stopped the activity. Our hunter then simply logged off and disappeared, and we terminated his account in the system.

Just curious as to how other DevOps or developers out there deal with unsolicited bounty hunters like this? What is the best way to ascertain if their request is legitimate or not? How do you handle the 'chicken and egg' situation of agreeing to payment just in case they have found a valid security hole?

7 comments

[ 2.3 ms ] story [ 19.8 ms ] thread
Maybe by guiding oneself by the established reputation of the hacker in question, and by paying with escrow.
Any good escrow services out there that can facilitate this sort of interaction that you could recommend?
(Full disclosure, I work at Bugcrowd)

Check out Bugcrowd.com - we can manage the whole thing for you and we can even give your dev team remediation advice/information so that they can fix it.

We've been doing this stuff for several years, so we'll be able to help you get everything setup and ready to go no problem :)

There is a whole industry of people in India/Pakistan that do this. Their recommendations are pretty straight forward and usually based on basic vulnerability scanners and password best practices. It is very likely you can figure out your issue yourself, it is likely very obvious.

I believe that this user is likely correct that there is a vulnerability and I would suspect it is a fairly straight forward one and you'll think it wasn't worth even $250.

Here is a list of open source vulnerability scanners:

https://resources.infosecinstitute.com/14-popular-web-applic...

And check your password practices, your headers to prevents XSS/iframing, and get your SSL certificate checked via an online tool. Also check the version numbers of your web server, jQuery, etc to ensure that you are not using one that has a security issue.

The guy you are dealing with is not sophisticated, just looking for a quick buck doing something simple you are not doing.

$250 is not a lot of money. The risk/reward ratio works out in your favor.
Create a standard bug bounty policy and post it. I presume you’d like to find high value bugs an that bounties may be an inexpensive way to find some. Plus it give big submitters a clear picture of what they can expect from you. Most that I’ve seen have some evaluation period before payment. If the big submitter doesn’t agree to your terms, they are probably not for real. Unless you are a high profile company, they probably won’t spend effort arguing.

Also your customers might like that you have a public big bounty program. That might give them more confidence in your security.