Beg Bounty Hunting – Why Do People Do It, And How?

By Soko Directory Team / Published April 10, 2021 | 11:13 am




KEY POINTS

Organizations with a program simply filter out such reports and point submitters to the program/policy explaining why these types of reports don’t qualify for payment.


cyber bullying Kenya

By Chester Wisniewski

I recently wrote a Sophos News article on the whole phenomenon of “bug bounties” and invited organizations that had been affected to get in touch. Many did and some had amazing stories to tell. In this article, I will explain what I learned about why people become beg bounty hunters and how they approach it. A further article will detail the experience of one particular target.

Nearly ten years ago, when bug bounties went mainstream with the launch of Bugcrowd and HackerOne, thousands flocked to these services to make a few bucks. The problem is that to make any real money you need well-honed skills. The low-hanging fruit has already been picked. Additionally, organizations sophisticated enough to launch a bug bounty program are unlikely to be duped by spurious claims.

Organizations with a program simply filter out such reports and point submitters to the program/policy explaining why these types of reports don’t qualify for payment. Those without programs, however, are likely unprepared to deal with these “security advisories.” They may overestimate the severity of the risk reported and can find it harder to explain that they don’t pay for bug reports at all, let alone something of low severity.

Enter the beginning of the “bug bounty”. I wrote about this a few weeks ago, and it seems to have struck a chord with some of our readers. Security engineers reached out with their own experiences, and I learned of a couple more examples fielded by the security team at Sophos. The concept of begging for a reward for innocuous or meaningless reports appears to be reaching a fever pitch.

Target anyone, try anything.

This growth appears to be fueled by the same thing driving so many other fads on the internet, social media influence. There is a whole cadre of people on social media who are sharing their experiences of making money through legitimate programs as bug bounty hunters. This has led to a large number of people interested in making money this way for themselves.

A few of these bounty hunters have built up a reasonably large following and are using that fame to launch training and penetration testing services. To make the most of their following, they often suggest their followers get started by finding and submitting anything and everything that might possibly get a recipient to pay. They suggest that it is quantity, not quality that will set you off down the path to vulnerable riches.

Search bots and ciphers

One of the more ridiculous submissions I’ve seen came through last week. This person seems to think that having a robots.txt file, to tell search bots what you don’t want to be indexed on search engines, is a vulnerability. This is really scraping the bottom of the barrel…

Another ‘beggar’ recently targeted a large media company in France. Based on the correspondence, it is unlikely they understood who the targeted company was, but they started the conversation by proclaiming they had found that the target’s website was vulnerable to “weak ciphers.”

They included a screenshot and link to a stock report from Qualys SSL Labs. While the ciphers are in fact weak, none have been factored and it is a stretch to consider this a vulnerability per se.

The message was sent from a Gmail account and ends hopefully: “Regards. Found More bugs on your website reply me so that I may disclose them further.” (sp)

In a follow-up message, they go on to say: “We have found more bugs/vulnerability in your website. Kindly clarify if there is any payout if we disclose them to you?”

The recipient replied thanking the reporter and explaining that they can’t release payments to individuals, only to companies, and then only if the bug deserves compensation.

The reporter replied back asking for money directly at that point: “We understand but my team worked very hard to find these bugs in your website. We have found more. If you can pay us a small token of appreciation of 100-150$ we will submit all of our reports.”

After explaining again that they only pay companies, the reporter points the IT person to a website, which is mostly cut and pasted text from Wikipedia in a basic CMS. The company does not appear to be a legitimately registered company.

Again, the IT representative explains that he needs a company invoice and gives them the street address to submit the invoice to for payment consideration. The hunter responds a few days later asking for a two-day subscription to their publication (?).

Funnily, it appears that Google had suspended the reporter’s account right after they contacted the person at the victim company.  When the reporter contacts the organization again, they use another Gmail account with the number on the end incremented by two.

Also, note that the person reporting the weak TLS ciphers on this company’s website doesn’t use encryption at all on their “company” website.

Before I was even able to finish looking into this person, another person sent a message to the same company offering to “draw your attention to some of the vulnerabilities in your site.” I see where this is leading and I suspect the outcome will only be more wasted time.

Don’t feed the trolls, don’t encourage begging, and it’s always DNS. That may be the three IT maxims to live by in 2021.





About Soko Directory Team

Soko Directory is a Financial and Markets digital portal that tracks brands, listed firms on the NSE, SMEs and trend setters in the markets eco-system.Find us on Facebook: facebook.com/SokoDirectory and on Twitter: twitter.com/SokoDirectory

View other posts by Soko Directory Team


More Articles From This Author






Trending Stories










Other Related Articles










SOKO DIRECTORY & FINANCIAL GUIDE



ARCHIVES

2021
  • January 2021 (182)
  • February 2021 (227)
  • March 2021 (325)
  • April 2021 (261)
  • May 2021 (108)
  • 2020
  • January 2020 (272)
  • February 2020 (310)
  • March 2020 (390)
  • April 2020 (321)
  • May 2020 (335)
  • June 2020 (327)
  • July 2020 (334)
  • August 2020 (276)
  • September 2020 (214)
  • October 2020 (233)
  • November 2020 (242)
  • December 2020 (187)
  • 2019
  • January 2019 (253)
  • February 2019 (216)
  • March 2019 (285)
  • April 2019 (254)
  • May 2019 (272)
  • June 2019 (251)
  • July 2019 (338)
  • August 2019 (293)
  • September 2019 (306)
  • October 2019 (313)
  • November 2019 (362)
  • December 2019 (319)
  • 2018
  • January 2018 (291)
  • February 2018 (213)
  • March 2018 (278)
  • April 2018 (225)
  • May 2018 (237)
  • June 2018 (178)
  • July 2018 (256)
  • August 2018 (249)
  • September 2018 (256)
  • October 2018 (287)
  • November 2018 (284)
  • December 2018 (186)
  • 2017
  • January 2017 (183)
  • February 2017 (194)
  • March 2017 (207)
  • April 2017 (104)
  • May 2017 (169)
  • June 2017 (205)
  • July 2017 (190)
  • August 2017 (195)
  • September 2017 (186)
  • October 2017 (235)
  • November 2017 (253)
  • December 2017 (266)
  • 2016
  • January 2016 (165)
  • February 2016 (165)
  • March 2016 (190)
  • April 2016 (143)
  • May 2016 (245)
  • June 2016 (182)
  • July 2016 (271)
  • August 2016 (248)
  • September 2016 (234)
  • October 2016 (191)
  • November 2016 (243)
  • December 2016 (153)
  • 2015
  • January 2015 (1)
  • February 2015 (4)
  • March 2015 (166)
  • April 2015 (108)
  • May 2015 (116)
  • June 2015 (120)
  • July 2015 (148)
  • August 2015 (157)
  • September 2015 (188)
  • October 2015 (169)
  • November 2015 (173)
  • December 2015 (207)
  • 2014
  • March 2014 (2)
  • 2013
  • March 2013 (10)
  • June 2013 (1)
  • 2012
  • March 2012 (7)
  • April 2012 (15)
  • May 2012 (1)
  • July 2012 (1)
  • August 2012 (4)
  • October 2012 (2)
  • November 2012 (2)
  • December 2012 (1)
  • 2011
    2010
    2009
    2008
    2007
    2006
    2005
    2004
    2003
    2002
    2001
    2000
    1999
    1998
    1997
    1996
    1995
    1994
    1993
    1992
    1991
    1990
    1989
    1988
    1987
    1986
    1985
    1984
    1983
    1982
    1981
    1980
    1979
    1978
    1977
    1976
    1975
    1974
    1973
    1972
    1971
    1970
    1969
    1968
    1967
    1966
    1965
    1964
    1963
    1962
    1961
    1960
    1959
    1958
    1957
    1956
    1955
    1954
    1953
    1952
    1951
    1950