[0x53]

I guess I wonder about the opposite side of this. While I hate the beg bounty people as well, I don't think security researchers should work for free. I have found several security vulnerabilities that I have never reported to the company because their security policy was basically "send us everything you found for free and we won't give you any credit".

[notatoad]

nobody's asking security researchers to work for free. the people asking security researchers to work are paying them for that work.

if you're doing un-asked-for work, you can't expect to get paid

[bruce511]

I agree. But there are advantages to be gained beyond mere payment. Assuming the work is somewhat more that just "I fed your name into ssllabs")

Say you find a genuine issue. You can document it and send it to them. You might suggest an appropriate amount, but you've given them something to evaluate. Chances are you get nothing, but there is still other value in the exercise.

You can also add this to your portfolio. Once you have a few of these apply for jobs at security firms. They can judge your skill level to see if you're worth adding to the team.

You can also determine if this is a whole class of problem. Publishing the issue (without naming the company involved) raises your profile. You can leverage that profile into paid work down the road.

Of course you should understand all this before you "do the work" in the first place. If you're gonna do random drive-by work you should understand your goals. Given that the parent did not disclose, presumably there was some other motivation in play.

[matheusmoreira]

> I have found several security vulnerabilities that I have never reported to the company

There's no problem with that. Anyone who does report anything is doing them a favor. Which they often repay with lawsuits.

[codetrotter]

> I don't think security researchers should work for free

I agree. The OP comes across a bit gatekeepy to me. Not everyone has made a big name for themselves yet.

How are you supposed to find customers in the first place? Gotta start somewhere.

Quality of the findings is orthogonal to asking for compensation.

There will always be people asking for money without providing value. But I don’t think we should throw the baby out with the bath water because of it.

[rainonmoon]

There are thousands of established bug bounty programs on the web. Ones in which companies actually solicit these messages. The reason these beg bounty hunters are sending unsolicited emails instead is because these programs explicitly descope all these stupid and irrelevant findings. If you want to establish your bonafides, this is a terrible way to go about it, especially given the legitimate alternatives.

[hn_throwaway_99]

> The OP comes across a bit gatekeepy to me.

Hard, hard disagree. I'm glad this "beg bounty" behavior has a name for it, because it's so f'ing obnoxious, and so common, and all it really does is make it that much harder when a serious researcher does need to report a real vulnerability.

Let's not pretend there is some sort of gray line between what responsible disclosure looks like, and what bullshit beg bounty disclosure looks like - after all, Hunt does an excellent job showing the difference. He showed an email he wrote that identifies where he's from, and gives clear verifiable evidence of a serious breach. That is night-and-day different from the "I found something naughty on your website, will you pay me??" example from the beg bountier.

Point being, if you are a serious researcher and you have actually found a high-value vulnerability, there are proper ways to message that even when you feel compensation is warranted. These beg bounties never look like that because they all have the same achilles heel: the "vulnerability" is such an eye roller that they can't actually give evidence of it before asking for money precisely because they know it's so low value.

[thaumasiotes]

I spent some time working in bounty triage.

This behavior never rose above "mildly annoying". There are a lot of people out there who will check your website for the issues that they know how to find and fire off a form report letting you know.

They are really, really, easy to deal with. There are two major relevant strategies:

- Many programs put it explicitly in their bounty policy that they won't consider the output of an automated tool. This automatically blocks the lowest-effort submissions.

- All programs specify in their policy what they consider a vulnerability and what they don't. "SPF configuration" is a common exclusion.

So if you get a low-value report, it takes maybe one minute to respond with a pointer to the part of your policy that explains why you won't even bother considering the report. If flyby reports are a major issue for you - publish a policy!

(As a third consideration, for me personally, these reports were especially easy to handle because you'd see the same guy filing more or less identical reports to several programs, and after the first time, you'd already have a good understanding of exactly what the report was saying.)

The people filing these reports are doing valuable work. Some programs really do care about some of the issues they find. Most programs don't care about most of the issues - but you can hardly blame the researcher for finding out whether the issue they already have in their hand might be worth something.

When I saw the headline, I thought of a different phenomenon that bothered me more. Many researchers are very ...anxious... about the status of their reports. I saw one guy, apparently from Egypt, who regularly found real vulnerabilities in a major website and earned thousands of dollars a month in bounties. If a report came in from him, it got taken seriously.

But he was constantly asking for status updates and commitments on when a report might get paid out. This was unpleasant to deal with. On the other hand, I did also see a handful of reports fall through the cracks and go untouched for months at a time, so again it's hard to blame the guy too much.

[c0pium]

> Quality of the findings is orthogonal to asking for compensation

This is a terrible take. Orthogonal to having a reputation, sure. Orthogonal to having a particular certification or credential, absolutely. But quality is absolutely non-negotiable. If your work is bad and nobody asked you to do it then you’re not a professional, you’re a charity.

[Kalium]

The issue here is that these people aren't providing value. Further, engaging with them as serious and sincere costs in time and energy. That's expensive when there's no payoff. From my own experiences, beg bounties reliably do not have findings of a useful quality and the begging approach is a very strong signal that the juice will not be worth the squeeze.

The piece is gatekeeping in the same way the spam filters we all use are gatekeeping. There's always stuff we want to keep on the far side of our filters. Beg bounties are among them for many.