
Ask HN: How do you deal with unsolicited bug bounty hunters? - cyberferret
I was emailed yesterday by someone out of the blue claiming to be a security researcher who &#x27;found&#x27; a security flaw in our SaaS app.<p>I was highly skeptical, and asked for details on the severity of the bug, plus any past references and work history regarding his bug bounty work, but he refused to give me much information until after I agreed to pay him a minimum $250 bounty.<p>I refused to do so, but then I noticed on our &#x27;God mode&#x27; dashboard that he created an account on our SaaS and then tried to upload an image with a malicious header as his avatar.  Our system detected this, logged it an warned us, and stopped the activity.  Our hunter then simply logged off and disappeared, and we terminated his account in the system.<p>Just curious as to how other DevOps or developers out there deal with unsolicited bounty hunters like this? What is the best way to ascertain if their request is legitimate or not? How do you handle the &#x27;chicken and egg&#x27; situation of agreeing to payment just in case they have found a valid security hole?
======
bhouston
There is a whole industry of people in India/Pakistan that do this. Their
recommendations are pretty straight forward and usually based on basic
vulnerability scanners and password best practices. It is very likely you can
figure out your issue yourself, it is likely very obvious.

I believe that this user is likely correct that there is a vulnerability and I
would suspect it is a fairly straight forward one and you'll think it wasn't
worth even $250.

Here is a list of open source vulnerability scanners:

[https://resources.infosecinstitute.com/14-popular-web-
applic...](https://resources.infosecinstitute.com/14-popular-web-application-
vulnerability-scanners/)

And check your password practices, your headers to prevents XSS/iframing, and
get your SSL certificate checked via an online tool. Also check the version
numbers of your web server, jQuery, etc to ensure that you are not using one
that has a security issue.

The guy you are dealing with is not sophisticated, just looking for a quick
buck doing something simple you are not doing.

------
jxub
Maybe by guiding oneself by the established reputation of the hacker in
question, and by paying with escrow.

~~~
cyberferret
Any good escrow services out there that can facilitate this sort of
interaction that you could recommend?

~~~
jags-v
[https://www.hackerone.com/](https://www.hackerone.com/) is a good place to
start

------
matt_the_bass
Create a standard bug bounty policy and post it. I presume you’d like to find
high value bugs an that bounties may be an inexpensive way to find some. Plus
it give big submitters a clear picture of what they can expect from you. Most
that I’ve seen have some evaluation period before payment. If the big
submitter doesn’t agree to your terms, they are probably not for real. Unless
you are a high profile company, they probably won’t spend effort arguing.

Also your customers might like that you have a public big bounty program. That
might give them more confidence in your security.

------
bjourne
$250 is not a lot of money. The risk/reward ratio works out in your favor.

