Should I respond to an "ethical hacker" who's requesting a bounty?

Question

I run a small internet based business from home and make a living at it to feed my family, but I'm still a one man show and internet security is far from my area of expertise.

Yesterday I received two emails from a guy who calls himself an "ethical hacker" and has identified two vulnerabilities in my system which he says could be exploited by hackers. I believe him.

The problem is, at the bottom of each email he says he "expects a bounty to be paid". Is this black mail? Is this his way of saying you'd better pay me or I'm going to wreak havoc? Or is this a typical and legitimate method for people to make a living without any nefarious intentions?

EDIT: For more clarification: He gave me two examples of vulnerabilities with screenshots and clear instructions on how to fix those vulnerabilities. One was to change the "?all" part of my SPF record to "-all" to block all other domains from sending emails for my domain. In the other email he explained how my site was able to be shown inside an iframe (enabling a technique called "clickjacking") and he also included an example of the code and instructions on how to prevent it.

`Is this blackmail?` - Yes. `is this a typical and legitimate method for people to make a living without any nefarious intentions?` - No. — joeqwerty, Sep 08 '20 at 17:24
Noting what everybody else has said, but you should also consider who this person is. Most if not all "ethical hackers" have a long and open history on security mailing lists and have form at both finding and fixing (or at least analysing) vulnerabilities, they aren't just "script kiddies" who here of a flaw and scan for systems exhibiting it. — Mark Morgan Lloyd, Sep 09 '20 at 07:58
This has two close votes now. Instead of closing, this could be migrated to [Information Security SE](https://security.stackexchange.com/). — Esa Jokinen, Sep 09 '20 at 08:16
Did he tell you what those supposed vulnerabilities are? If so, in what detail? — marcelm, Sep 09 '20 at 09:20
If you're running something common like WordPress then it is trivial to look up CVEs for your tech stack, pick something to scare you, and extort you for money. I would bet the vulnerability they found are outside your realm of knowledge and would require a patch from your tech stack. — MonkeyZeus, Sep 09 '20 at 12:02
From a comment on InfoSec SE: the response, if you get one at all, will be: `The vulnerability is that when a social engineering email is sent to the owner of the website, the owner of the website will send money for no reason. This can cause loss of profits. This vulnerability should be remediated immediately.` [source](https://security.stackexchange.com/questions/229469/is-this-email-asking-me-to-sent-them-100-for-details-on-a-security-flaw-in-my-w) — Heng Ye, Sep 09 '20 at 16:07
Yes, he gave me two examples of vulnerabilities with screenshots and clear instructions on how to fix those vulnerabilities. One was to change the "?all" part of my SPF record to "-all" to block all other domains from sending emails for my domain. In the other email he explained how my site was able to shown inside an iframe (enabling a technique called "clickjacking") and and included an example of the code and instructions on how to prevent it. — Vincent, Sep 09 '20 at 17:13
Even if the "vulnerabilities" are real, you should not assume they are useful unless you understand them in context yourself. For example, is there any actual way to cause harm by embedding your site in an iframe? I get these spam "vulnerability" emails all the time, but the site in question is a static marketing page with no user login capability, so there is no possible use in performing a clickjacking attack on it. These people just run "vulnerability scanners" against your site, then ask you for money. They don't actually understand the output of the tools. — Glenn Willen, Sep 09 '20 at 18:34
Similar thread on SE: [Is this email asking me to sent them $100 for details on a security flaw in my website a scam?](https://security.stackexchange.com/q/229469/125626) — Kate, Sep 09 '20 at 19:08
I won’t answer b/c you have several good ones to choose from already, but Esa Jokinen nailed the most important part: An *ethical* hacker will “always have an explicit permission”. — Jens Ehrich, Sep 10 '20 at 01:19
It is also possible that (a) this person may not be fluent in English and does not realize the meaning and tone implied by their chosen words (b) is a newbie just starting out, looking for easy vulnerabilities and a quick pay out, thinking that always getting paid for finding such vulnerabilities is the norm. — Amer, Sep 10 '20 at 07:19
@EsaJokinen this is a duplicate of https://security.stackexchange.com/questions/229469/is-this-email-asking-me-to-sent-them-100-for-details-on-a-security-flaw-in-my-w — Dave White, Sep 10 '20 at 08:20
"I expect a bounty to be paid" is way different than "I expect a bounty to be paid (implicitly assumed by the tone of the rest of the email: or else I will crack your system, sell the vulnerabilities to hackers etc)". Without the full contents of the email is hard to guess which one is it. Just because someone writes down an expectation or a request does not imply blackmail. There needs to be a *credible threat* (the threat need not be spelt out, it can be implied by tone & contents of the text). — Bakuriu, Sep 10 '20 at 18:57
@Vincent The SPF and CORS settings are pretty trivial, neither is actually very severe and both are trivial to find/fix. It seems a *lot* like a tech support scam! The most valuable security advice would be to not reply at all because these helpful tips are very likely to pivot into you doing something unsafe with a stranger to "fix" them. — trognanders, Sep 10 '20 at 20:29
A *bounty* is money **offered** to anyone who can find something or someone. Since you have not offered any money for finding security problems, it's false for the person sending the e-mail to call it a "bounty". — Todd Wilcox, Sep 10 '20 at 22:50
@ToddWilcox It's unlikely for small business owners to write out a bounty for security issues. They still might pay a bounty if they are made aware of a security issue, though. Nothing wrong with asking. — Daniel, Oct 03 '20 at 13:15
I received a very similar email stating that my "spf" used ~all and my dmarc records were not complete among other issues. the email had a lot of "tech speak" to sound like an actual issue. However, after some serious researching, there was no validity to the claims that were made. It's not that security isn't always a concern and I took the email I received very seriously at first. But I was also suspicious because of the comment "I expect a bounty" which felt threatening. Just be sure to do your homework. — ea0723, Aug 17 '21 at 20:10

score 69 · Answer 1 · answered Sep 08 '20 at 22:43

69

A true "ethical hacker" would tell you what issue (s)he found in your system, not ask money for that; (s)he could offer to fix it as a contractor, but that would be after telling you what the actual problem is; and in any case, it's a completely different thing from just trying to scare you into paying.

This is plain and simple blackmail.

(Also, it's a very real possibility that there is no real vulnerability and someone is just trying to scam you into paying money for nothing).

answered Sep 08 '20 at 22:43

Massimo

68,714
56
196
319

11

While this *might* be blackmail, it's not so plain and simple at all. Therefore, I wrote a more comprehensive [answer](https://serverfault.com/a/1033175/274176) on how one might handle unsolicited vulnerability reports. – Esa Jokinen Sep 09 '20 at 07:33
3

Actually, he gave me two examples of vulnerabilities with screenshots and clear instructions on how to fix those vulnerabilities. One was to change the "?all" part of my SPF record to "-all" to block all other domains from sending emails for my domain. In the other email he explained how my site was able to shown inside an iframe (enabling a technique called "clickjacking") and included an example of the code and instructions on how to prevent it. – Vincent Sep 09 '20 at 17:14
@Vincent those might be a way to lure you into trusting the scammer. – Ruslan Sep 09 '20 at 17:59
7

@Massimo You have to consider how an ethical hacker is supposed to live off her work before you set up a yardstick for what would be a "truly" ethical one. In practice, very few if any businesses will compensate for the work done - small companies cannot evaluate the worth of the work, and often don't have the money; larg corporations tend to save money where they can and won't pay at all, ethical or not. (Oh, and it can't be blackmail, which requires a threat which isn't happening, and threatening with something illegal.) – toolforger Sep 09 '20 at 18:01
7

@Vincent: The SPF thing is absolutely not a vulnerability fix. It's purely a way of advising recipients of mail with your domain on the return address to help them assess whether it's spam. It's almost surely just something they threw at you as low-hanging fruit to improve your infrastructure to make it look like they have something worth your paying them money. – R.. GitHub STOP HELPING ICE Sep 09 '20 at 18:20
1

@toolforger Everybody needs to live off his/her work. Telling people "I know you have a problem, pay me to tell you what it's about" is, at best, exploiting them; at worst, blackmail. For sure, nothing that can even be remotely defined as "ethical". – Massimo Sep 10 '20 at 07:28
9

Blackmail implies consequences if you do not pay. The "ethical hacker" in this situation never threatened to take action (unless I missed a comment saying as much). Therefore it is not blackmail. – Rainbolt Sep 10 '20 at 14:15
7

@Rainbolt "That's a nice server you've got there. I noticed it has some vulnerabilities. It would be an _awful shame_ if someone were to take advantage of that..." I mean, that's not technically blackmail, you never explicitly threatened anyone, but it has the same effect. – probably_someone Sep 11 '20 at 00:43
And an ethical car repair shop would spend $2000 diagnosing a problem, then tell you exactly what it is, that it will cost $10 to fix it, and then ask if you would like to pay $2000 + $10 to have it fixed, which is completely voluntary! – Alex Cannon Sep 11 '20 at 04:27
4

@AlexCannon There's a big difference there. If I take my car into a shop and ask them to find the problem with my car, I'm telling them I'm willing to pay (within reason) for their time and expertise in finding the problem. If that same car shop goes down the street knocking on people's doors saying, "hey, you've never heard of us, but we randomly checked out your car, and it has this issue. Here's our bill." Maybe they're right, maybe they're lying...but either way, you didn't ask for the service...there's no obligation to pay for it. – Beska Sep 11 '20 at 13:19
Beska it goes both ways, the person who randomly checked your car and happens to have the knowledge of what's wrong with it, saving you from a large diagnosis bill, isn't obligated to reveal what it is. They'll expect you to pay them first or enter in to some kind of agreement before they reveal it to you. Or they can temporarily fix your car to prove that they know what's wrong with it, without revealing what they did to it. By not revealing their knowledge, they're not making you a victim, or doing extortion, or scamming you, or committing fraud, or blackmail (unless they broke the car). – Alex Cannon Sep 12 '20 at 15:19
This answer is not even justified by the pre-edit contents of the question, and certainly post-edit it's simply incorrect. Why do you think people who do vulnerability research do not deserve to be compensated? Don't you receive compensation for your work? If you're willing to accept that they deserve compensation then how can including the information that they expect compensation possibly be blackmail. – President James K. Polk Sep 30 '20 at 15:13

Esa Jokinen · Answer 2 · 2020-09-12T05:47:20.620

While this might be blackmail, there are many possibilities for genuine good intents, too. Therefore, here's some more comprehensive thoughts on how one might handle unsolicited vulnerability reports. In short: you have every reason to be cautious, but you do not have to be rude.

Who may find vulnerabilities and why?

Ethical hackers perform their analysis based on a contract typically with predefined targets and limitations. These might be ordered assignments or more loosely defined bug bounty programs, either directly or through a platform like HackerOne. In any case, an ethical hacker (or a white hat hacker) always has an explicit permission.

From the details in this question alone it is hard to tell whether the message you got is a clear scam or someone with good intentions but lack of understanding – or willingness to adhere to ethical standards. The latter grey hats might even violate laws, but they do not have malicious intentions. The penetration testing industry is also extremely trendy, so there are all kinds of self-appointed penetration testers, ethical hackers, security researchers etc. with varying skills (or complete lack of them). In this case they may benefit from some gentle guidance, whereas false accusations might lead them to wrong direction.

I have found several vulnerabilities by accident, without an intention to poke the system in any way. These cases are usually rather harsh, and I do hesitate whether not to report it at all, report it anonymously, or report it with my name, which would give me the possibility to help them with further questions. The reality is that because I did not have a permission, the receiver may interpret or handle my report with unexpected ways, possibly causing me legal charges or other problems. So far, they have been sympathetic towards me.

Do you benefit from these findings?

You are asked to pay for the findings, but without knowing the details you cannot be sure whether they are worth paying at all. Vulnerabilities comes in all shapes and sizes. Some of them are critical, and some are minor. Some may also seem problematic from outside, but are completely irrelevant to you, or within your accepted risk. One simply cannot sell vulnerabilities in pieces, bundles, kilograms, or liters.

Two examples of completely worthless reports I have got recently, both with genuine intent.

A message suggested a reward for finding a web page protected by HTTP basic authentication, which indeed is not a secure authentication method. However, as it was only an extra layer of security before an actual login page, and not protecting any critical system anyway, it was not really a vulnerability at all. Therefore, the finding had zero value for the company.
A report of a missing SPF record. The explanation was correct and all, but the record was not missing! Instead of querying from DNS, the "bug bounty hunter" had used a web-based SPF lookup tool but used http://example.com instead of example.com. Due to this syntax error it did not show the record.

Therefore, in order to judge the value, some details of the vulnerability must be disclosed. If someone who has found the vulnerability thinks giving out these details may result in losing the reward, the vulnerability may actually be worthless: known, easy to spot with automated tools, within accepted risk, too minor, or otherwise irrelevant. On the other hand, if the vulnerability is severe, it is often also so complex that giving some proof of concept will not completely help fixing it. The additional work required to describe and address the vulnerability is valuable and will be paid.

The OP also mentions a similar claim of a "misconfigured" SPF record and a fix "to block all other domains from sending emails for my domain." I'm sure you know that's not how SPF records work. This "hacker" has found easy "vulnerabilities" to scare the OP into thinking they've got something worth paying for. I'd class this "hacker" in with the spammy emails I get saying "Your domain SEO is not optimized!" — Booga Roo, Sep 10 '20 at 02:42
That's possible, but for both the examples I gave they were actual people using their own name, and a little background check aligned with that (LinkedIn, HackerOne, actual bug reports from the same email address etc.). Therefore, I assume they had good intentions, but a bit narrow perspective and lack of skills. It seems the Internet haven't yet made me completely cynical after all. — Esa Jokinen, Sep 10 '20 at 06:03
I actually had a similar experience. Guy seemed genuine, but his report was something our next round of automated security scans would have found anyways. He originally asked for a reward, but I mentioned that we have no bug bounty program and that I am not authorized to reward. Upon this, he asked for credit, a spot of notoriety on our site for his find. I tried not insulting him, since most bounty programs explicitly disallow automated scans (both for undue server load, and the generic nature of the output). I redirected him towards actual bug bounty programs and he seemed happy. — Jarrod Christman, Sep 10 '20 at 19:34
Point being, sometimes it's just people starting out in the security world and just don't understand enough to know when it is a vulnerability, or if it is, all they my have done is parrot an automated tool's output. This does not mean they're blackmailing, rather, just a poor attempt at a side hustle. — Jarrod Christman, Sep 10 '20 at 19:38
*ethical hacker (or a white hat hacker) always has an explicit permission.* Not at all. Information that is public does not require permission to access by any ethical standard that I'm aware of. And not everyone need have a contract in place to do work. Speculative work is common in many industries and there's no reason to exclude vulnerability analysis from that list. — President James K. Polk, Sep 30 '20 at 15:26
It's sure is *ethical* to access public information, but it's lacking the *hacking*. — Esa Jokinen, Sep 30 '20 at 16:06
@EsaJokinen You mentioned that BasicAuth is not a "secure authentication method". I'm aware that username and password are sent over just encoded and not encrypted. I'm wondering whether your concerns apply to connections encrypted via TLS as well? I was not aware of BasicAuth being insecure over HTTPS. Any guidance is highly appreciated. — Endzeit, Oct 01 '20 at 14:09
The direct confidentiality issue is tackled well with HTTPS. However, that's not the only problem with HTTP basic auth: it's also impossible to invalidate sessions without changing the password. — Esa Jokinen, Oct 01 '20 at 14:13

score 27 · Answer 3 · edited Jan 03 '21 at 23:32

It's not unusual for someone who discovers a security vulnerability to be paid a bounty for their discovery. A lot of prominent open source projects and web sites have policies of paying a bounty for responsible disclosure of a vulnerability. I don't know how common it is for companies to pay a bounty without having some sort of bounty program set up in advance though.

I received a bounty for reporting a security bug in a very prominent open source web application. Here's how it worked in my case:

I reported the vulnerability to the development team via their preferred reporting method, including the fact that if the bug was eligible for a bounty I would be interested (they had a public bug bounty program).
I kept knowledge of the vulnerability confidential while the team identified and patched the issue.
When a patch was released the notified me that my report was indeed eligible for a bounty and how much they'd be prepared to pay.
At this point I was free to discuss my vulnerability publicly (although chose not to do so).

The key points here are that:

The report was made without holding the details for ransom until I was paid.
Details of the vulnerability were not made public until the vendor was able to make a fix.
If the issue I reported was not in fact a security bug, I wouldn't be paid.
The vendor decided how much the vulnerability was worth. They did have a public table of "Vulnerabilities of type X will be paid up to $Y" on their web site.

While I only have direct experience with this one vendor, I believe this process is pretty typical for most.

In your situation I would:

Insist that the vulnerability be disclosed responsibly. i.e. To you, directly, and without any form of public, or semi-public disclosure by your "hacker". You want to be aware of this before everyone else, that's one of the things you're paying for. If your hacker posts about this publicly, or talks to his mates about it, then there's no deal.
Insist that details of the vulnerability are to be verified by a security expert. Given you say you're a one man show without a lot of expertise in security, that probably means hiring someone on contract to assist you.
If your expert agrees that it's a security problem, they'll be able to give you an idea of its severity and YOU can decide what it's worth.

How much should you pay? That's up to you. In my case, the vendor rated the bug as "critical" then it was patched. It could have led to serious compromise, but would have been difficult to do. I was paid a little under $5k for my efforts, which was near the top end of the range quoted on their web site.

Also, if they're just telling you about a known security vulnerability in a bit of third party software that's probably not worth much. e.g. if you were running an old version of WordPress and the bug was a known WordPress vulnerability.

Is this black mail?

If they insist that you don't get details until a bounty is paid. Yes. That's not how these programs usually work, a proper ethical hacker knows that.

Is this his way of saying you'd better pay me or I'm going to wreak havoc?

A proper ethical hacker isn't trying to wreak havoc. Nor will they be selling the vulnerability to someone else if you don't pay. But that assumes you're dealing with a legit ethical hacker, not some troublemaker who's trying to rip you off or cause trouble.

Or is this a typical and legitimate method for people to make a living without any nefarious intentions?

After I earned my bounty, I did the maths, and figured I could potentially earn a living collecting bounties. It is possible. Whether that's what your guy is up to, who knows. Trying to collect bounties from companies that don't have formal bounty programs is a pretty risky way to go about it though, which counts against your guy IMHO.

I disagree, there's a pretty clear distinction between solicited and unsolicited disclosure. Pushing someone through guilt to give you money for unsolicited service might not be illegal, but I see it as unethical. If you help someone that did not ask for it, that's great, but there should not be expectation of a reward (and even less crassly asking for it). — Leherenn, Sep 10 '20 at 08:12
You likely used an existing bounty program from a corporation to get paid. You could sue them and win if they didn't pay out, if you documented things properly. When trying to get a bounty from an organization that doesn't have a bounty program, you have to way of ever getting them to pay you after you tell them what the vulnerability was. — Alex Cannon, Sep 11 '20 at 04:34
@Leherenn: You seem to believe that everybody works for some big company and gets paid a salary regardless of their success. This is not so. Somebody with their own company may do unsolicited work on spec. They never get paid for the time spent doing analysis that results in no vulnerabilities, so they must get paid for their successes. And analyzing systems without a contract is perfectly acceptable; in that model the analyst takes *all* the risk, hardly unethical. — President James K. Polk, Sep 30 '20 at 15:19
@PresidentJamesK.Polk No at all, it's just that I do not see it as acceptable when there's the expectation of a payment. It's like someone washing your windows unsolicited, then ringing at your door asking for payment. I see this as rude. If you want to do some volunteer work and make the internet a better place, then great, thank you. If you need money, please stick to contracted work. — Leherenn, Oct 02 '20 at 16:23
@PresidentJamesK.Polk Bug bounty programs exist for that. Companies/websites without that do not have an obligation to ever pay out - in fact they are very much in their right to report your attack on their website to the feds as it is unasked for. If you want to earn money as a free contractor, stick to companies that offer these contracts. — Yuu, Nov 28 '20 at 00:11
@Yuu: I see no evidence in the OP's narrative that the hacker broke any law, so what exactly should be reported to the feds?. It appears the hacker used only public information in their analysis. And if the hacker had obeyed your rules, the website owner would likely never have learned of these vulnerabilities because they have no bug bounty program. — President James K. Polk, Nov 28 '20 at 12:52

score 11 · Answer 4 · answered Sep 08 '20 at 22:26

Yes, that is blackmail.

The responsible thing to do is to inform you privately. Perhaps with a disclosure policy of eventually going public if no response after some time.

A more polite way of doing business would be a hint that you would get more reports if you offered a reward via a bug bounty or similar. But still forward the issue details regardless.

Considering hiring a security person (not this "hacker") to evaluate your systems. Whatever form that takes, a one-off engagement to do a security assessment, a bounty, or a migration to a hosted platform to outsource operations to someone else.

The OP added in comments that the email contained details of the vulnerabilities and instructions on how to fix them. So they have informed OP privately. The vulerabilities are also fairly minor. So I think this changes the character of the question to not be blackmail — coagmano, Sep 09 '20 at 23:44

score 10 · Answer 5 · answered Sep 10 '20 at 09:46

@GlennWillen's comment hit the nail on the head:

Even if the "vulnerabilities" are real, you should not assume they are useful unless you understand them in context yourself. For example, is there any actual way to cause harm by embedding your site in an iframe? I get these spam "vulnerability" emails all the time, but the site in question is a static marketing page with no user login capability, so there is no possible use in performing a clickjacking attack on it. These people just run "vulnerability scanners" against your site, then ask you for money. They don't actually understand the output of the tools.

To say it more pointedly: given the two security issues mentioned by the "hacker" (SPF ?all and clickjacking), it is most likely that the hacker has not spent any significant time or effort specifically examining OP's site.

Therefore, to avoid being marked for more specific targeting, OP should not respond to the email.

OP should check about these issues with a real security expert, but should not engage with this "hacker".

score 7 · Answer 6 · answered Sep 09 '20 at 14:39

As someone working in information security and receiving quite a lot of such reports, a few comments:

if the hunter makes a payment a condition to reveal the vulnerability you should pass. This is either a false report, or a report from someone who is not professional (and therefore of zero or low value)
if the hunter provides you with a partial evidence and requests money for the rest (say, they show that they accessed to more data than they should have), it is blackmail. The major problem here is that you are not likely to know how to fix the issue (or maybe even understand if this is an issue at all). So paying for just the finding may not give you much. OTOH if you know someone who can fix it then it may be with a shot, after running what you have through that "someone who can fix it"
if they gave you everything then you still probably need someone to fix it. If you do a gesture would be nice (even in the form of some swag - that is a gift of some sorts, it depends on plenty of factors).

You may also feel that you do not care about security - this is perfectly fine assuming that you are aware of the consequences. Since you run an internet based business I think this is not an option.

You may consider moving your business to a SaaS solution, though, if this is conceivable and let others worry about such things (including security).

score 5 · Answer 7 · answered Sep 09 '20 at 09:44

5

Bug bounties work the other way round!

How do they work:

A service provider or software vendor announces "bug bounty program" beforehand.
A more or less ethical hacker finds a bug. They REPORT the bug usihg the method of communication announced in the bug bounty program. They may as well share it to some reputable security-related media or experts, who promise to keep silent for a while.
The bug is evaluated by the affected parties. They decide to pay (or not to pay) the bounty and contact the hacker about the details. (They also eventually do fix the bug.)

If they don't react the proper way in a timely fasion, the hacker, the other security experts or the media involved may publicly disclose the bug, the failure of the bug bounty program and/or other details.

answered Sep 09 '20 at 09:44

fraxinus

524
2
5

1

This is not a bug bounty. This is responsible disclosure. Both are useful. – WoJ Sep 09 '20 at 12:48
5

Bug bounty implies responsible disclosure. It is worthless otherwise. Anyway, point 1 is the most important. If someone implies a bug bounty where there is none, it is called "extortion". – fraxinus Sep 09 '20 at 13:52
There are organized bug hunting events (temporary or continuous) = bug bounty. A bug bounty means money in exchnage of (good) bugs. Then there are companies that have a "responsible disclosure" page which states whom to contact in case of findings. Nothing about money, just a process and contacts. You are right that a bug bounty implies that the information will be shared "responsibly". – WoJ Sep 09 '20 at 13:57

score 4 · Answer 8 · answered Nov 27 '20 at 23:59

Yes it is blackmail.

I have read computer law in graduate school, but speaking as an ethical hacker and bug bounty hunter myself, I never try to find vulnerabilities (known as pentesting) on websites I do not own or have express permission to test.

Bug bounty programs are there for a reason - to give hackers an avenue to find vulnerabilities and earn money for it. Testing without permission, or without a bug bounty program that automatically grants permission based on certain conditions, like what the so called 'ethical hacker' has done, can be reported to the police as it is a cyber crime - no different from a malicious hacker.

I realise that my answer is kinda late and you might have already paid, but anyone reading this in the future should absolutely not pay to these self-proclaimed 'ethical hackers'.

Now, on to the 'vulnerabilities' themselves: Neither of them are real vulnerabilities!

They are simply security best practices at best. I used to manage a bug bounty program and these kind of reports (SPF records allow spoofing, Clickjacking) are simply a waste of time. If you do a simple google search for them, you can see that the vast majority of bug bounty programs run by any company will automatically put these reports in the trash and possibly blacklist these reporters. It's because these 'vulnerabilities' have no real impact. Thus, the reporter isn't just a blackmailer; he's also a scammer for exaggerating the impact!

I believe him.

You should not believe people without actual credentials. By credentials I mean actual proof of their ethical hacking activities, such as having multiple CVEs to their name or having participated in security hacking competitions (CTFs) with a good track record, or having presented at any technical conference, or simply having been listed on at least one Hall of Fame in any bug bounty program, etc..

And definitely not a random guy demanding money from a small site without a bug bounty program.

Upvoted. It's rare (and honestly refreshing) to see a new user posting an actually insightful answer. — Massimo, Nov 28 '20 at 00:25

score 2 · Answer 9 · answered Sep 11 '20 at 10:59

Does the information provided speak for itself? And can it be validated? I might be inclined to respond promptly if the first is true, saying I am proceeding toward due diligence around the information provided.

If all is confirmed, what is the value of this information to you?

What type of relationship would you like in support of these interests? I would expect to know a person's expected form of payment and business entity as well as other details related to the norms of business. I'd ask for all of this in my response.

Negotiate with the person to proceed if you want to do business, having in mind that you could change your mind anytime--both for or against.

If they turn out to be engaged in criminal activity you'll need to provide all the collected information to the authorities (FBI?).

Otherwise you may have both a better service, saved resources and a good value. Keep in mind anyone can change behavior and business relationships anytime. It's helpful to establish trust and clearly lay the cards out. Don't assume they're out to extort you regardless of style of presentation. It helps to maintain professionalism, clarity and integrity such that everyone can leave with their dignity. Hope this provides substantive context and contrast as well as usefulness in your situation.

score 1 · Answer 10 · answered Sep 09 '20 at 11:02

I find it most likely that this is spam mail, which means that the proper response is no response.

Somebody gets a list of small businesses and sends emails like that to everybody. Out of the millions targeted, a few will bite and send them money.

In addition to losing that money, the victims are now on a list of gullible people, people who will be targeted for further scams, involving more personal attention from the scammer and more money.

Don't end up on the gullible people list.

Of course, you should also tighten up your security anyway:

Backup your data. Make sure the backup is not hackable, just put it on a disk that is not plugged in.

Change your passwords. Don't use the same password for different services.

Make a schedule for backing up your data periodically.

My experience as a recipient of these: I think they are not usually truly bulk in the way you suggest. However, they generally seem to be the result of running "security analysis" tools against our site, usually by a person who doesn't understand how to interpret the output, making it of no actual use. — Glenn Willen, Sep 09 '20 at 18:32

score 1 · Answer 11 · answered Sep 11 '20 at 10:35

First, can you reproduce an actual vulnerability from that information?

Second, does the solution provided actually fix that vulnerability?

If both are yes then you may feel like this was useful and pay a bounty, but you are under no obligation to.

Asking for a bounty when there was none advertised isn't good business, even if all the necessary information is provided. If this "hacker" is contacting you and asking for a bounty without giving you all the details you need to reproduce the vulnerability yourself then that is blackmail and possibly a scam if the vulnerability is bogus.

score 1 · Answer 12 · answered Sep 12 '20 at 06:40

Sounds more like a generic footnote, phishing as it were for bounty programs? It doesn't sound like he directly referenced it in the body of the email, feels like the result of a mass sweep, all be it probably unsuccessfully as its not against a developed application. I don't think anyone would pay for something easily revealed in a security sweep/PEN test but the vulnerability should not be discounted.

If this has provided genuine value theres no harm in acknowledging them through some form of feed or reward, but also no obligation I'd feel, the initial engagement should have felt less spammy/threatening. Did it hit multiple domain administrator addresses (webmaster, admin, postmaster etc) or was communication sought directly?

If the email had qualified it with "if you have an active bounty program, I would like to submit against this", it would have seemed better? English may not be their primary language and foreign ways of speaking can come across as quite abrupt when directly translated, but this is all guesswork without seeing the composition.

score 1 · Answer 13 · answered Sep 19 '20 at 18:25

There are ethical hackers and then there are "Ethical" hackers. It might not be right or sometimes even dangerous to mistake them for the other. Check hacker communities and platforms like hackerone.com and you can tell the difference between the two.

There are those who actually make dedicated effort to test your server, check for all vulnerabilities and report you everything upfront. So if there are 10 bugs they can find, they report all to you to decide.

Then there are those who mass scan multiple websites for well-known and easily findable errors like web servers disclosing Nginx version, which can be easily fixed by setting server_tokens off; in Nginx config. These type of hackers also have a suspense element, in a way they first bait a few errors, check the victims' pulse and then they prey upon.

So if it was me, I'll get myself a good ethical hacker to find every other vulnerability and fix them all together, or to say, never let a hacker/stranger have the upper hand in this negotiation. Good luck.

score 0 · Answer 14 · answered Sep 11 '20 at 04:40

As others have said, it's likely some kind of partially automated vulnerability scan where you pay money for them to fix some outdated software that shuld have been fixed anyway.

But don't ignore it, just tell the person that they need to provide some way to prove that there is a vulnerability that can actually be used to cause harm. Give them permission to do a proof of abilities test on your site, where they gain access or steal some information without actually using it to do harm. If they are able to do this, then you can start to talk business.

You may need to arrange some kind of 3rd party escrow since neither of you likely trust the other party enough to follow through on your side of the deal first.

score 0 · Answer 15 · answered Oct 03 '20 at 12:39

This is what we refer to as "gray hat" hacking. It's a mixture of white- and black-hat intentions. Gray hats typically do report vulnerabilites for websites, but not out of good will. They will typically tell you to pay a bounty and they will fix it for you. They could possibly be scams, but most will tell you what it is or something to prove legitimacy to you. They normally do this unsolicited.

Should I respond to an "ethical hacker" who's requesting a bounty?

15 Answers15

Who may find vulnerabilities and why?

Do you benefit from these findings?