Don Scammo, barely visible in the deep shade behind the desk lamp aimed at the nervous website owner on the other side of the desk, sends cigar smoke rings in his intended victim’s direction. A thug looms on either side of the mark, just within peripheral vision. The Don leans back into his red leather chair, sips his Sangiovese, and makes an offer you can’t refuse: “Lovely website you got. It’d be a real shame if something … unfortunate … happened to it.”
In real life, the Don would just send an email, one of those “Dear sir or madam” missives warning of imminent disaster due to all sorts of security issues. Scary technical jargon – SPF, DMARC, X-Frame, OWASP – peppers the text. They want money, of course, in exchange for information about additional site vulnerabilities.
It feels like extortion, but can you be sure? Are you about to be hacked? Should you send these guys money? What’s really going on?
Here’s what’s going on: A beg bounty, the crooked cousin of the bug bounty.
What Are Bug Bounties?
The bug bounty is a legitimate, common, and effective practice for revealing vulnerabilities in software and websites. “White hat” hackers conduct them. (White hats are ethical; they want to help. Black hats are malicious.) When white hats find security flaws, they disclose the issue responsibly through established channels dictated by the organization’s bug bounty program. The target organization follows up, makes a fix, and compensates the white hat.
All major tech companies – from Google to Facebook to Microsoft – have bug bounty programs. More and more smaller companies are putting them in place. Companies such as HackerOne and BugCrowd run bounty programs on behalf of other organizations. Bug bounties have become so mainstream that even the Pentagon now compensates information security (“infosec”) professionals for responsible disclosures.
These programs make sense for both sides. Bounty programs pay only for legitimate issues. Fees range from the hundreds or the low thousands for each issue reported to six figures for the most severe issues. The cost of prevention is far below that imposed by a bad actor finding those same vulnerabilities. A recent report estimates the average data breach cost at around $4 million, not including the reputational damage of compromised customer data.
What Are Beg Bounties?
The current bane of the infosec community: beg bounties. Beg bounty hunters target smaller organizations that lack established bounty programs and/or responsible disclosure policies. They claim to be white hats. Their emails list various vulnerabilities on your site and offer some sort of proof that those vulnerabilities are real. They couch their pitch in the language of legitimate bug bounty programs. But they trade in fear.
The grains of truth in these pitches give them more credibility than they deserve. Usually, they report real vulnerabilities. But they never mention that these flaws are not severe and pose no immediate danger.
You don’t need anonymous strangers to detect vulnerabilities. Lots of readily available tools perform automated vulnerability scanning. We built one here at Northwoods, Missing Padlock. (These tools are so common that we’ve created a parody version, https://www.arbitrarygrader.com/). It’s easy enough to point one of these tools at a site and find some sort of issue. You can do it yourself. And so can the black hats.
Telling the Difference
Context distinguishes beg bounties from legitimate disclosures. Beg bounty emails usually include hyperbolic language about danger, when the issues are in fact almost always low-risk -- so low that an authentic bug bounty program would pay exactly zero dollars for the disclosure.
Information security is a spectrum, with vulnerabilities ranging from severe to low risk. The issues we report on Missing Padlock, for instance, are a specific category called “mixed content”. They don’t really compromise the security of your site, but they do prevent some aspect of your site from working properly. They might degrade user experience, but they don’t compromise user security.
Beg bounty hunters omit such nuance and try to panic you into running for cover.
What Should I Do?
Recently, a security issue with a library called “log4j” has attracted attention. As far as vulnerabilities go, “log4j” is a big one. It affects tons of systems, and the potential impact on each one is huge. Several of our clients have received emails about this issue and asked for advice.
Here’s what we tell them:
- First, be leery when someone you’ve never heard of asks for money. That’s usually the biggest red flag with beg bounties.
- Second, take a minute to verify the legitimacy of the sender. Is it from firstname.lastname@example.org, or from an enterprise security vendor you’ve used? If it’s a legitimate ethical hacker, a quick search online should show that. For instance, if someone named Troy Hunt emails you with an issue, the first page of Google results will quickly tell you he’s legit.
- Third, make sure that infosec professionals manage your systems. If you host your website with Northwoods, for instance, automated tools regularly scan our hosting environment. These would be the same tools the beg bounty people use, so anything they know we knew first. We quickly address any issues that arise, but we also understand context and impact. For instance, we sometimes don’t remediate very low-risk issues because they may have a negative impact – like lost functionality or degraded user experience – that far outweighs the security risk.
- Finally, if you’re ever unsure, it never hurts to ask. If you’re a Northwoods client, reach out to us. We stay on top of what’s going on in the infosec world and are always available to talk with you. For instance, when “log4j” blew up, we had already determined – before any clients asked about it – that it didn't affect any of our systems. We were able to calm any concerns immediately.
So, if some shady character makes an offer you can’t refuse, don’t panic. Refer to the advice above. If you’re still not sure whether or how to respond, reach out to us or another trusted infosec source for guidance. We stress about these things so you don’t have to!