
Ask HN: Are those “bug bounty” emails legit? - throwaway029343
The startup I work for just officially launched a few days ago and we are already got two emails from &quot;security researchers&quot; telling us they found a security vulnerability in our website and asking us if we offer a bug bounty reward (we can&#x27;t afford one right now).<p>Here&#x27;s one of the emails:<p><pre><code>  Hi,
  
  I just found a Vulnerability in Website can I report it here? 
  Do you have Bug bounty&#x2F;reward program for reporting Bugs?
  
  Thanks and Regards
</code></pre>
Are those emails legit? Are those researchers just sending emails new startups to build a list of those which do offer bounties? I find it improbable that a researcher would have had time to find a serious security vulnerability in our website in such a short amount of time but I obviously can&#x27;t completely exclude that possibility.<p>Should I reply to the email? Just ignore it?
======
wyldfire
Yes, you should reply. What's the risk? The protocol is that they disclose
their discovery to you first and then you reward them.

If you honestly tell them that you plan to offer them no reward, then you and
they can feel comfortable continuing the transaction knowing the terms have
been made clear to all parties.

------
Techbrunch
Hey, I run a private bug bounty program on HackerOne and we get those emails
regularly, most of the times they did not find anything serious and they are
just checking if you have one to see if they should invest time in it.

With a new startup and nobody looking at it they are more likely to find
something :) You should just be honest and tell send to the details to
security@youcompany.com you can also create a private program on one of the
bug bounty plateform and invite them, they will get reputation/kudos if they
find something.

