[ipdashc]

security@ emails do get a lot of spam. It doesn't get talked about very much unless you're monitoring one yourself, but there's a fairly constant stream of people begging for bug bounty money for things like the Secure flag not being set on a cookie.

That said, in my experience this spam is still a few emails a day at the most, I don't think there's any excuse for not immediately patching something like that. I guess maybe someone's on holiday like you said.

[canopi]

This.

There is so much spam from random people about meaningless issues in our docs. AI has made the problem worse. Determining the meaningful from the meaningless is a full time job.

[TheTaytay]

This is where “managed” bug bounty programs like BugCrowd or HackerOne deliver value: only telling you when there is something real. It can be a full time job to separate the wheat from the chaff. It’s made worse by the incentive of the reporters to make everything sound like a P1 hair-on-fire issue.

[whstl]

Half of the emails I used to get in a previous company were pointless issues, some coming from a honey pot.

The other half was people demanding payment.

[horacemorace]

Training a tech support team of interns to solve all of them would be an enviable hacker or software dev training program.

[Bootvis]

Use AI for that :)

[Bootvis]

Not kidding, I bet llm’s are excellent at triaging these reports. Humans, in a corporate setting, are apparently not.

[latchkey]

My favorite one is the "We've identified a security hole in your website"... and I always respond quickly that my website is statically generated, nothing dynamic and immutable on cloudflare pages. For some odd reason, I never hear back from them.