[codetrotter]

> I don't think security researchers should work for free

I agree. The OP comes across a bit gatekeepy to me. Not everyone has made a big name for themselves yet.

How are you supposed to find customers in the first place? Gotta start somewhere.

Quality of the findings is orthogonal to asking for compensation.

There will always be people asking for money without providing value. But I don’t think we should throw the baby out with the bath water because of it.

[rainonmoon]

There are thousands of established bug bounty programs on the web. Ones in which companies actually solicit these messages. The reason these beg bounty hunters are sending unsolicited emails instead is because these programs explicitly descope all these stupid and irrelevant findings. If you want to establish your bonafides, this is a terrible way to go about it, especially given the legitimate alternatives.

[hn_throwaway_99]

> The OP comes across a bit gatekeepy to me.

Hard, hard disagree. I'm glad this "beg bounty" behavior has a name for it, because it's so f'ing obnoxious, and so common, and all it really does is make it that much harder when a serious researcher does need to report a real vulnerability.

Let's not pretend there is some sort of gray line between what responsible disclosure looks like, and what bullshit beg bounty disclosure looks like - after all, Hunt does an excellent job showing the difference. He showed an email he wrote that identifies where he's from, and gives clear verifiable evidence of a serious breach. That is night-and-day different from the "I found something naughty on your website, will you pay me??" example from the beg bountier.

Point being, if you are a serious researcher and you have actually found a high-value vulnerability, there are proper ways to message that even when you feel compensation is warranted. These beg bounties never look like that because they all have the same achilles heel: the "vulnerability" is such an eye roller that they can't actually give evidence of it before asking for money precisely because they know it's so low value.

[thaumasiotes]

I spent some time working in bounty triage.

This behavior never rose above "mildly annoying". There are a lot of people out there who will check your website for the issues that they know how to find and fire off a form report letting you know.

They are really, really, easy to deal with. There are two major relevant strategies:

- Many programs put it explicitly in their bounty policy that they won't consider the output of an automated tool. This automatically blocks the lowest-effort submissions.

- All programs specify in their policy what they consider a vulnerability and what they don't. "SPF configuration" is a common exclusion.

So if you get a low-value report, it takes maybe one minute to respond with a pointer to the part of your policy that explains why you won't even bother considering the report. If flyby reports are a major issue for you - publish a policy!

(As a third consideration, for me personally, these reports were especially easy to handle because you'd see the same guy filing more or less identical reports to several programs, and after the first time, you'd already have a good understanding of exactly what the report was saying.)

The people filing these reports are doing valuable work. Some programs really do care about some of the issues they find. Most programs don't care about most of the issues - but you can hardly blame the researcher for finding out whether the issue they already have in their hand might be worth something.

When I saw the headline, I thought of a different phenomenon that bothered me more. Many researchers are very ...anxious... about the status of their reports. I saw one guy, apparently from Egypt, who regularly found real vulnerabilities in a major website and earned thousands of dollars a month in bounties. If a report came in from him, it got taken seriously.

But he was constantly asking for status updates and commitments on when a report might get paid out. This was unpleasant to deal with. On the other hand, I did also see a handful of reports fall through the cracks and go untouched for months at a time, so again it's hard to blame the guy too much.

[c0pium]

> Quality of the findings is orthogonal to asking for compensation

This is a terrible take. Orthogonal to having a reputation, sure. Orthogonal to having a particular certification or credential, absolutely. But quality is absolutely non-negotiable. If your work is bad and nobody asked you to do it then you’re not a professional, you’re a charity.

[Kalium]

The issue here is that these people aren't providing value. Further, engaging with them as serious and sincere costs in time and energy. That's expensive when there's no payoff. From my own experiences, beg bounties reliably do not have findings of a useful quality and the begging approach is a very strong signal that the juice will not be worth the squeeze.

The piece is gatekeeping in the same way the spam filters we all use are gatekeeping. There's always stuff we want to keep on the far side of our filters. Beg bounties are among them for many.