Ask HN: How do you deal with unsolicited bug bounty hunters?
I was highly skeptical, and asked for details on the severity of the bug, plus any past references and work history regarding his bug bounty work, but he refused to give me much information until after I agreed to pay him a minimum $250 bounty.
I refused to do so, but then I noticed on our 'God mode' dashboard that he created an account on our SaaS and then tried to upload an image with a malicious header as his avatar. Our system detected this, logged it an warned us, and stopped the activity. Our hunter then simply logged off and disappeared, and we terminated his account in the system.
Just curious as to how other DevOps or developers out there deal with unsolicited bounty hunters like this? What is the best way to ascertain if their request is legitimate or not? How do you handle the 'chicken and egg' situation of agreeing to payment just in case they have found a valid security hole?
7 comments
[ 2.3 ms ] story [ 19.8 ms ] threadCheck out Bugcrowd.com - we can manage the whole thing for you and we can even give your dev team remediation advice/information so that they can fix it.
We've been doing this stuff for several years, so we'll be able to help you get everything setup and ready to go no problem :)
I believe that this user is likely correct that there is a vulnerability and I would suspect it is a fairly straight forward one and you'll think it wasn't worth even $250.
Here is a list of open source vulnerability scanners:
https://resources.infosecinstitute.com/14-popular-web-applic...
And check your password practices, your headers to prevents XSS/iframing, and get your SSL certificate checked via an online tool. Also check the version numbers of your web server, jQuery, etc to ensure that you are not using one that has a security issue.
The guy you are dealing with is not sophisticated, just looking for a quick buck doing something simple you are not doing.
Also your customers might like that you have a public big bounty program. That might give them more confidence in your security.