Oliver Nassar

How I deal with 'Independent Security Researchers' (aka. Bug Bounty Hunters)

One thing that will happen to you if you run products with significant usage is eventually, 'Independent Security Researchers' or Bug Bounty Hunters will reach out to you. Their stories will often be similar: they independently help product owners and engineers to better secure their products, services, websites or platforms.

They'll report to you a bug (which in my case has almost exclusively consisted of bugs that I know about and are not relevant to the security of my products), providing some copy and pasted context of what the bug is, why it's important and the steps to resolve it.

The better ones will provide you with screenshots, videos and/or steps to reproduce the bug specific to your context.

The problem is that in every case I've encountered, these people have presented themselves with a foundation of bad faith: if you reply, they'll ask for a "bounty" and threaten to further target your site if you don't comply.

The Problem

When you start engaging with them, they'll often present themselves as seeking a reward for their good deads. However, in most cases, that has turned into indirect and direct threats when I don't compensate them for their reports.

One of the challenges with their reports is that often, they'll file bugs that are edge-cases of edge-cases. The kinds of things that would only effect users from one country if they had a certain setting turned on within their browser and happened to right-click an innocuous link three times.

Furthermore, they'll often fake the severity of bugs. For example: one person reported that my MX settings were misconfigured to such an extent that they could send emails from my domain.

When I asked for proof of this, instead of them triggering an email to be sent to me, they sent me a screenshot of the email being sent to them.

The reason they did that is because they knew that had they triggered the email to be sent to me, it would have gone straight to my Spam folder.

Experienced product managers and engineers know that bugs are an intrinsic part of software: they won't all be resolved. Therefore, the very act of having a bug reported to you is not in and of itself valuable.

The Blackmail

The repercussions of engaging with these Bug Bounty Hunters is that, in my experience, it almost always escalates to blackmail when you choose not to pay them a reward.

This blackmail can look different (e.g. "I'll announce on Twitter", "I'll exploit this bug", "I'll recommend other more serious hackers target your site"), but the core of it is a threat that unless you pay them some reward, you'll incur damage.

Thus, the challenge: when a Bug Bounty Hunter reaches out and reports to you a legitmate bug (regardless of the severity), how does one acknowledge it without opening up a discussion around merit and worthiness?

I'm suggesting this is a challenge because if someone does report a bug that I fix, I do appreciate it. I want to acknowledge the time they spent helping improve my product. But thus far, doing so has only caused more problems than it's resolved.

How I handle them

Since I run a number of products, I get one of these emails bi-weekly. They're often formatted in a similar way, and initially, they do come off as fair and legitimate.

But each time I've engaged with one of them, it's devolved into direct and indirect threats to cause professional and financial harm (and this includes one case where the bug reported was valid enough that I rewarded them with $50; they them came back asking for more).

So now, my approach is to simply read the report, investigate the severity, and if it's relevant, fix it. I won't reply or engage with them primarily because in my experience thus far, it's only opened up my products to harm.

I'd love nothing more than to have a dialogue with these people about their reports, and reward them when appropriate, but unfortunately the fear tactics and threats that their contemporaries practice makes that too professionally risky.