Yesterday, for the Nth time, a client had a “security researcher” send an email about a “high-impact” security vulnerability. I’ve crafted this response a few times so I figured I would blog about it.
Email from a Security Researcher
So here’s the email:
Hi <name>, I'm <"researcher" name>, a penetration tester, and I have found a high-impact security vulnerability in the <company name> web app. How can I report the issue details? Also, I'm inquiring if you reward reporting valid vulnerabilities. Thanks, <"researcher" name>
Digression About Vulnerability Disclosure Programs
In general, I’m a fan of having a vulnerability disclosure program.
Fundamentally, a disclosure program has to outline rules of engagement for reporting a vulnerability and a timeline for expecting a response. It might or might not involve a reward. The program should include some sort of scope.
This is positive, because often folks that are interested with software tinker with it (hack it) and find things that are important. Before disclosure programs and bug bounties, there was a lot of hostility to “hackers” who reported these kinds of issues - and so sometimes those issues would get sold into the zero day market. A disclosure program presents a company’s positive attitude toward researchers reporting issues and gives a framework for it to happen in a trustworthy way.
I’m also a fan of bug bounty programs, which are similar but generally imply that there is a reward for a reported vulnerability, a more explicit scope and a sense of what types of vulns may or may not be reported. Bug Bounty programs are often intermediated by firms like BugCrowd or HackerOne.
I have met a bunch of folks that are very active in this particular security community, and I’ve run bounty programs at large companies. There are a lot of great people here.
As others have stated previously more eloquently than I will, there are times and places to start a bounty program.
The TLDR; of which seems to be: bug bounties are great when you’ve got basic hygiene figured out and you have a way to handle an ongoing volume of reports.
Otherwise, you might just get inundated with information you don’t know how to deal with and only very little of which is realistically important to your security.
The Gory Detail
The truth is, these types of emails are common and often a result of someone opportunistically scanning for issues and hoping to make a little money.
They frequently identify issues such as missing
X-Frame-Options HTTP headers or similar. Often, they
are actually low or even informational severity, contrary
to what the researcher’s email says.
Now, if the person is a legit security researcher letting you know about a problem, you want to thank them and give them a way to share what they know and ideally give them something in return. A researcher might accept recognition or swag. In the long run, we want to make these legitimate and commensurate with the value of the identified issue. I have seen researchers submit amazingly useful findings.
The problem is that most of these submissions, especially when framed like the one above, are not significant security findings at all and they are being used to SPAM a large number of companies with the hope that some will pay.
I have also seen “researchers” turn into extortionists who publicly complain about the way a company handles a minor problem in order to get attention and a reward.
To respond effectively, we want to engage the earnest researcher while shutting down the discussion with the extortionist.
I recommend responding with something like this email template:
Hi there, Thank you for reaching out. We do not currently have a vulnerability disclosure program, reward program or bug bounty in place. That being said, we have folks on the team that have been involved in those types of programs and know how to run them and it is something we may do in the future. If you would like to report the issue to this security@ email, we will track it in good faith and consider providing some kind of award or recognition if we can. At the same time, having run these programs in the past, we also know that there are a lot of folks out there who run scanners and submit the results to try to claim rewards. Those types of findings aren’t the type of issues that our program can reward. We certainly appreciate the security community and understand the value of a mutually positive model for interaction. We’re committed to engaging with integrity. We look forward to hearing from you. Thank you, Security
Of course, you have to actually engage with integrity and track the issue. If you do start a program, you should reward the researchers that reported real findings. You also have to communicate with researchers and fix issues.