Is soliciting money/rewards for 'responsible' security disclosures when none is stated a thing now?
I just got this in my e-mail... ------ From: xxxxxxx <xxxxxxxxxx6@iqra.edu.pk> Date: Thu, 3 Mar 2022 03:14:03 +0500 Message-ID: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@mail.gmail.com> Subject: Found Security Vulnerability To: undisclosed-recipients:; Bcc: sxxxxxxxxx@ahbl.org Hi Team I am a web app security hunter. I spent some time on your website and found some vulnerabilities. I see on your website you take security very passionately. Tell me will you give me rewards for my finding and responsible disclosure? if Yes, So tell me where I send those vulnerability reports? share email address. Thank you Good day, I truly hope it treats you awesomely on your side of the screen :) xxxxx Security ------ Is soliciting for money/rewards when the site makes no indication they offer them a common thing now? If you want to see a copy of the original message, let me know off list and I'll send it to you. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Better known as Beg Bounties. https://www.troyhunt.com/beg-bounties/ It's a thing. On Thu, 3 Mar 2022 at 09:32, Brie <bruns@2mbit.com> wrote:
I just got this in my e-mail...
------ From: xxxxxxx <xxxxxxxxxx6@iqra.edu.pk> Date: Thu, 3 Mar 2022 03:14:03 +0500 Message-ID: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@mail.gmail.com> Subject: Found Security Vulnerability To: undisclosed-recipients:; Bcc: sxxxxxxxxx@ahbl.org
Hi Team
I am a web app security hunter. I spent some time on your website and found some vulnerabilities. I see on your website you take security very passionately.
Tell me will you give me rewards for my finding and responsible disclosure? if Yes, So tell me where I send those vulnerability reports? share email address.
Thank you
Good day, I truly hope it treats you awesomely on your side of the screen :)
xxxxx Security ------
Is soliciting for money/rewards when the site makes no indication they offer them a common thing now?
If you want to see a copy of the original message, let me know off list and I'll send it to you.
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Wed, 02 Mar 2022 15:30:29 -0700, Brie said:
I just got this in my e-mail...
I am a web app security hunter. I spent some time on your website and found some vulnerabilities. I see on your website you take security very passionately.
I've gotten similar spam a number of times over the years (though people offering to do SEO on my site are much more frequent). The odd thing is - as far as I know, I don't *have* a website....
This is typical "Beg bounty". https://www.troyhunt.com/beg-bounties/ On 2022-03-03 00:30, Brie wrote:
I just got this in my e-mail...
------ From: xxxxxxx <xxxxxxxxxx6@iqra.edu.pk> Date: Thu, 3 Mar 2022 03:14:03 +0500 Message-ID: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@mail.gmail.com> Subject: Found Security Vulnerability To: undisclosed-recipients:; Bcc: sxxxxxxxxx@ahbl.org
Hi Team
I am a web app security hunter. I spent some time on your website and found some vulnerabilities. I see on your website you take security very passionately.
Tell me will you give me rewards for my finding and responsible disclosure? if Yes, So tell me where I send those vulnerability reports? share email address.
Thank you
Good day, I truly hope it treats you awesomely on your side of the screen :)
xxxxx Security ------
Is soliciting for money/rewards when the site makes no indication they offer them a common thing now?
If you want to see a copy of the original message, let me know off list and I'll send it to you.
On Fri, Mar 04, 2022 at 11:33:47PM +0200, Denys Fedoryshchenko wrote:
This is typical "Beg bounty". https://www.troyhunt.com/beg-bounties/
This probably isn't even that. I've seen a bunch of similar spam to various role accounts, some at domains that don't even have a website, in the last month or so. Several contained "real names" of alleged security researchers that did not seem to exist in the real world. It is worth remembering that bad guys may be interested in collecting the e-mail addresses of people who are responsible for security within your organization. These could be used to target those people with malware, or to forge legitimate-looking e-mails "from" your security department to your other employees. It is likely that no good can come of engaging with these. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
I had a situation like that a few years ago. Someone accidentally included the .git directory in a docker image that was deployed to a customer's website. Unfortunately early checkins of the .git directory included a copy of the WordPress (yuck!) config file with hard-coded passwords. Those were moved to environment variables, but never changed. And for some reason the "developer" left indexing turned on. So the person was able to download the git directory and walk back through the history and found the passwords....and then connected to the database which had some mild PHI (first names and phone numbers). Since the tech contact for the domain came back to my company and not the developer, they reached out to me. After a few pleasant emails back and forth he told me exactly where he found the passwords. I rotated passwords and yelled at the developer, and thanked the guy who found it. He kindly asked if I would "donate" to him by buying something from his Amazon wishlist. I should note that he asked *after* he told us exactly what the problem was. I discussed it with the client and they picked some ~$400 item from the list and sent it to him. It could have been worse, but everyone involved agreed that it would be nice to reward the guy for pointing out the blunder. $400 was a small price to pay for the client since they do something like $10 million USD per month. After that the client paid for a full security audit of their web presence by a 3rd party company and everything came back clean. Do what you think is appropriate, but I'm all for encouraging responsible and positive disclosure as well as being kind. If the guy had started the email with "send me money or else I'll disclose" the entire process would have been very different. -A On Wed Mar 2, 2022, 10:30 PM GMT, Brie <bruns@2mbit.com> wrote: I just got this in my e-mail... ------ From: xxxxxxx <xxxxxxxxxx6@iqra.edu.pk> Date: Thu, 3 Mar 2022 03:14:03 +0500 Message-ID: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@mail.gmail.com> Subject: Found Security Vulnerability To: undisclosed-recipients:; Bcc: sxxxxxxxxx@ahbl.org Hi Team I am a web app security hunter. I spent some time on your website and found some vulnerabilities. I see on your website you take security very passionately. Tell me will you give me rewards for my finding and responsible disclosure? if Yes, So tell me where I send those vulnerability reports? share email address. Thank you Good day, I truly hope it treats you awesomely on your side of the screen :) xxxxx Security ------ Is soliciting for money/rewards when the site makes no indication they offer them a common thing now? If you want to see a copy of the original message, let me know off list and I'll send it to you. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
participants (6)
-
Aaron de Bruyn
-
Brie
-
Denys Fedoryshchenko
-
Joe Greco
-
Kieran Murphy
-
Valdis Klētnieks