A long standing client of ours received an email recently:
“Hey , I just found a bug in your web and it can cause harm your web and Users so can we report here. then will i get bounty reward in PayPal or Bitcoin for security bug.
Independent Security Resercher”
We’ve seen similar emails come through with different clients. It prompted the question: What should you do when you receive a bug report by email? Are you in danger of getting hacked? Should you offer a payment for bug reports?
On the face of it, receiving a bug report by email is a positive thing. You want to make your website as safe as possible and if someone else has found a flaw, then you’d like to fix it. And you would probably be inclined to reward that person in some way for their efforts.
For example, if your neighbour came round and told you that you’d left your window open, you might thank them and ask them in for a cup of tea and some biscuits.
Is this bug report email a legitimate offer to help?
Let’s go back to the original bug report email. Does it sound like a friendly neighbour trying to help you out?
Let’s run through a quick checklist:
- Does the email offer any information you can act on? Clearly not. There is no mention of the part of the website that is supposedly insecure, nor the type of bug that was discovered.
- Does the email come from a reputable source? This particular email was sent from a GMail email address. It’s also full of spelling and grammar mistakes (even ‘Resercher’ (sic) is spelt incorrectly!). So, no, it doesn’t come from a reputable source.
- What is the sender’s motivation? The email is clearly an attempt to extract payment, rather than help you fix a bug on your website. Rather than coming from a friendly neighbour (or at least a helpful professional), it reads more like a threat, a thinly veiled attempt at extortion.
In case you’re still not convinced that this is not a legitimate bug report email, let’s flip the situation on its head.
Suppose you were a security researcher and you found a bug on a website. What kind of email would you send? It is essentially a method of cold-calling in order to complete a sale. To increase your chances of success, you’d want to include specific information to show that you actually know what you’re talking about. And you’re likely to want to back this up with links to previous work, perhaps a link to your security company’s website, a security / research blog, etc.
I’m going to invoke Occam’s Razor on this one:
“The explanation requiring the fewest assumptions is most likely to be correct.”
What would you think it’s simpler:
Option 1: This is a legitimate security researcher, who really wants to help but just isn’t very good at writing emails?
Option 2: This is a scam sent to a large number of websites with the aim of inciting fear and extracting money?
My money is on Option 2!
And with that decision made, my advice is clear: Trash the email, ignore it, don’t reply.
Engaging in rational discussion with someone who is likely to be a borderline criminal is not going to lead anywhere.
Positive action you can take instead
You’ve decided to ignore the email – but is that the end of the matter?
Now that you’ve become aware of the potential threat of having bugs on your website, it might be a good time to carry out a security audit.
As a good starting point, read the The Most Common Website Security Risks 2017 tech hug. Speak to your tech team to make sure they are aware of web application security risks, and ask them how their chosen programming tools and frameworks protect against them.