Skip to Content
Northwoods
Main Content

Hiker looking out over blue-tinted mountains

5 Minute Read | December 29, 2021

Is that Scary Website Security Warning Email Legit?

What You Need to Know About Beg Bounties – and What to Do About Them

Don Scammo, barely visible in the deep shade behind the desk lamp aimed at the nervous website owner on the other side of the desk, sends cigar smoke rings in his intended victim’s direction. A thug looms on either side of the mark, just within peripheral vision. The Don leans back into his red leather chair, sips his Sangiovese, and makes an offer you can’t refuse: “Lovely website you got. It’d be a real shame if something … unfortunate … happened to it.”

In real life, the Don would just send an email, one of those “Dear sir or madam” missives warning of imminent disaster due to all sorts of security issues. Scary technical jargon – SPF, DMARC, X-Frame, OWASP – peppers the text. They want money, of course, in exchange for information about additional site vulnerabilities.

It feels like extortion, but can you be sure? Are you about to be hacked? Should you send these guys money? What’s really going on?

Here’s what’s going on: A beg bounty, the crooked cousin of the bug bounty.

What Are Bug Bounties?

The bug bounty is a legitimate, common, and effective practice for revealing vulnerabilities in software and websites. “White hat” hackers conduct them. (White hats are ethical; they want to help. Black hats are malicious.) When white hats find security flaws, they disclose the issue responsibly through established channels dictated by the organization’s bug bounty program. The target organization follows up, makes a fix, and compensates the white hat.

All major tech companies – from Google to Facebook to Microsoft – have bug bounty programs. More and more smaller companies are putting them in place. Companies such as HackerOne and BugCrowd run bounty programs on behalf of other organizations. Bug bounties have become so mainstream that even the Pentagon now compensates information security (“infosec”) professionals for responsible disclosures.

These programs make sense for both sides. Bounty programs pay only for legitimate issues. Fees range from the hundreds or the low thousands for each issue reported to six figures for the most severe issues. The cost of prevention is far below that imposed by a bad actor finding those same vulnerabilities. A recent report estimates the average data breach cost at around $4 million, not including the reputational damage of compromised customer data.

What Are Beg Bounties?

The current bane of the infosec community: beg bounties. Beg bounty hunters target smaller organizations that lack established bounty programs and/or responsible disclosure policies. They claim to be white hats. Their emails list various vulnerabilities on your site and offer some sort of proof that those vulnerabilities are real. They couch their pitch in the language of legitimate bug bounty programs. But they trade in fear.

The grains of truth in these pitches give them more credibility than they deserve. Usually, they report real vulnerabilities. But they never mention that these flaws are not severe and pose no immediate danger.

You don’t need anonymous strangers to detect vulnerabilities. Lots of readily available tools perform automated vulnerability scanning. (These tools are so common that we’ve created a parody version, https://www.arbitrarygrader.com/). It’s easy enough to point one of these tools at a site and find some sort of issue. You can do it yourself. And so can the black hats.

Telling the Difference

Context distinguishes beg bounties from legitimate disclosures. Beg bounty emails usually include hyperbolic language about danger, when the issues are in fact almost always low-risk -- so low that an authentic bug bounty program would pay exactly zero dollars for the disclosure.

Information security is a spectrum, with vulnerabilities ranging from severe to low risk. The issues we report on Missing Padlock, for instance, are a specific category called “mixed content”. They don’t really compromise the security of your site, but they do prevent some aspect of your site from working properly. They might degrade user experience, but they don’t compromise user security.

Beg bounty hunters omit such nuance and try to panic you into running for cover.

What Should I Do?

Recently, a security issue with a library called “log4j” has attracted attention. As far as vulnerabilities go, “log4j” is a big one. It affects tons of systems, and the potential impact on each one is huge. Several of our clients have received emails about this issue and asked for advice.

Here’s what we tell them:

  • First, be leery when someone you’ve never heard of asks for money. That’s usually the biggest red flag with beg bounties.
  • Second, take a minute to verify the legitimacy of the sender. Is it from randomguy123@gmail.com, or from an enterprise security vendor you’ve used? If it’s a legitimate ethical hacker, a quick search online should show that. For instance, if someone named Troy Hunt emails you with an issue, the first page of Google results will quickly tell you he’s legit.
  • Third, make sure that infosec professionals manage your systems. If you host your website with Northwoods, for instance, automated tools regularly scan our hosting environment. These would be the same tools the beg bounty people use, so anything they know we knew first. We quickly address any issues that arise, but we also understand context and impact. For instance, we sometimes don’t remediate very low-risk issues because they may have a negative impact – like lost functionality or degraded user experience – that far outweighs the security risk.
  • Finally, if you’re ever unsure, it never hurts to ask. If you’re a Northwoods client, reach out to us. We stay on top of what’s going on in the infosec world and are always available to talk with you. For instance, when “log4j” blew up, we had already determined – before any clients asked about it – that it didn't affect any of our systems. We were able to calm any concerns immediately.

So, if some shady character makes an offer you can’t refuse, don’t panic. Refer to the advice above. If you’re still not sure whether or how to respond, reach out to us or another trusted infosec source for guidance. We stress about these things so you don’t have to!

Authored By

Northwoods Team

Your Trusted Digital Trail Guides

Share on Social Media

hand-drawn owl

Get Expert Tips

#Begbounty hunters send emails that list various #security vulnerabilities on your website and use the language of legitimate #bugbounty programs. But they trade in fear: https://bit.ly/3ehHQGD. @northwoods #websitesecurity

Related Blog Posts

What Is First-Party Data Marketing?
What Is MarTech and Why Is it Important?
10 Ways to Get Your Website Ready for the New Year
3927511/Blog/Is-that-Scary-Website-Security-Warning-Email-LegitWhat You Need to Know About Beg Bounties – and What to Do About Them5
<p>Don Scammo, barely visible in the deep shade behind the desk lamp aimed at the nervous website owner on the other side of the desk, sends cigar smoke rings in his intended victim&rsquo;s direction. A thug looms on either side of the mark, just within peripheral vision. The Don leans back into his red leather chair, sips his Sangiovese, and makes an offer you can&rsquo;t refuse: &ldquo;Lovely website you got. It&rsquo;d be a real shame if something &hellip; unfortunate &hellip; happened to it.&rdquo;</p>

<p>In real life, the Don would just send an email, one of those &ldquo;Dear sir or madam&rdquo; missives warning of imminent disaster due to all sorts of security issues. Scary technical jargon &ndash; SPF, DMARC, X-Frame, OWASP &ndash; peppers the text. They want money, of course, in exchange for information about additional site vulnerabilities.</p>

<p>It feels like extortion, but can you be sure? Are you about to be hacked? Should you send these guys money? What&rsquo;s really going on?</p>

<p>Here&rsquo;s what&rsquo;s going on: A beg bounty, the crooked cousin of the bug bounty.</p>

<h2>What Are Bug Bounties?</h2>

<p>The <a href="https://en.wikipedia.org/wiki/Bug_bounty_program" linktype="3" target="_blank">bug bounty</a> is a legitimate, common, and effective practice for revealing vulnerabilities in software and websites. &ldquo;White hat&rdquo; hackers conduct them. (White hats are ethical; they want to help. Black hats are malicious.) When white hats find security flaws, they disclose the issue responsibly through established channels dictated by the organization&rsquo;s bug bounty program. The target organization follows up, makes a fix, and compensates the white hat.</p>

<p>All major tech companies &ndash; from Google to Facebook to Microsoft &ndash; have bug bounty programs. More and more smaller companies are putting them in place. Companies such as <a href="https://www.hackerone.com/product/bug-bounty-platform" linktype="3" target="_blank">HackerOne</a> and <a href="https://www.bugcrowd.com/products/bug-bounty/" linktype="3" target="_blank">BugCrowd</a> run bounty programs on behalf of other organizations. Bug bounties have become so mainstream that <a href="https://www.usds.gov/projects/hack-the-pentagon" linktype="3" target="_blank">even the Pentagon</a> now compensates information security (&ldquo;infosec&rdquo;) professionals for responsible disclosures.</p>

<p>These programs make sense for both sides. Bounty programs pay only for legitimate issues. Fees range from the hundreds or the low thousands for each issue reported to six figures for the most severe issues. The cost of prevention is far below that imposed by a bad actor finding those same vulnerabilities. <a href="https://www.ibm.com/security/data-breach" linktype="3" target="_blank">A recent report</a> estimates the average data breach cost at around $4 million, not including the reputational damage of compromised customer data.</p>

<h2>What Are Beg Bounties?</h2>

<p>The current bane of the infosec community: <a href="https://www.troyhunt.com/beg-bounties/" linktype="3" target="_blank">beg bounties</a>. Beg bounty hunters target smaller organizations that lack established bounty programs and/or responsible disclosure policies. They claim to be white hats. Their emails list various vulnerabilities on your site and offer some sort of proof that those vulnerabilities are real. They couch their pitch in the language of legitimate bug bounty programs. But they trade in fear.</p>

<p>The grains of truth in these pitches give them more credibility than they deserve. Usually, they report real vulnerabilities. But they never mention that these flaws are not severe and pose no immediate danger.</p>

<p>You don&rsquo;t need anonymous strangers to detect vulnerabilities. Lots of readily available tools perform automated vulnerability scanning. (These tools are so common that we&rsquo;ve created a parody version, <a href="https://www.arbitrarygrader.com/" linktype="3" target="_blank">https://www.arbitrarygrader.com/</a>). It&rsquo;s easy enough to point one of these tools at a site and find some sort of issue. You can do it yourself. And so can the black hats.</p>

<h2>Telling the Difference</h2>

<p>Context distinguishes beg bounties from legitimate disclosures. Beg bounty emails usually include hyperbolic language about danger, when the issues are in fact almost always low-risk -- so low that an authentic bug bounty program would pay exactly zero dollars for the disclosure.</p>

<p>Information security is a spectrum, with vulnerabilities ranging from severe to low risk. The issues we report on Missing Padlock, for instance, are a specific category called &ldquo;mixed content&rdquo;. They don&rsquo;t really compromise the security of your site, but they do prevent some aspect of your site from working properly. They might degrade user experience, but they don&rsquo;t compromise user security.</p>

<p>Beg bounty hunters omit such nuance and try to panic you into running for cover.</p>

<h2>What Should I Do?</h2>

<p>Recently, a security issue with a library called &ldquo;log4j&rdquo; has attracted attention. As far as vulnerabilities go, &ldquo;log4j&rdquo; is a big one. It affects tons of systems, and the potential impact on each one is huge. Several of our clients have received emails about this issue and asked for advice.</p>

<p>Here&rsquo;s what we tell them:</p>

<ul>
	<li><strong>First, be leery when someone you&rsquo;ve never heard of asks for money</strong>. That&rsquo;s usually the biggest red flag with beg bounties.</li>
	<li><strong>Second, take a minute to verify the legitimacy of the sender.</strong> Is it from randomguy123@gmail.com, or from an enterprise security vendor you&rsquo;ve used? If it&rsquo;s a legitimate ethical hacker, a quick search online should show that. For instance, if someone named Troy Hunt emails you with an issue, the first page of Google results will quickly tell you he&rsquo;s legit.</li>
	<li><strong>Third, make sure that infosec professionals manage your systems.</strong> If you host your website with Northwoods, for instance, automated tools regularly scan our hosting environment. These would be the same tools the beg bounty people use, so anything they know we knew first. We quickly address any issues that arise, but we also understand context and impact. For instance, we sometimes don&rsquo;t remediate very low-risk issues because they may have a negative impact &ndash; like lost functionality or degraded user experience &ndash; that far outweighs the security risk.</li>
	<li><strong>Finally, if you&rsquo;re ever unsure, it never hurts to ask.</strong> If you&rsquo;re a Northwoods client, <a href="https://www.nwsdigital.com/Contact-Us">reach out</a> to us. We stay on top of what&rsquo;s going on in the infosec world and are always available to talk with you. For instance, when &ldquo;log4j&rdquo; blew up, we had already determined &ndash; before any clients asked about it &ndash; that it didn&#39;t affect any of our systems. We were able to calm any concerns immediately.</li>
</ul>

<p>So, if some shady character makes an offer you can&rsquo;t refuse, don&rsquo;t panic. Refer to the advice above. If you&rsquo;re still not sure whether or how to respond, <a href="/Contact-Us" linktype="2" target="_self">reach out to us</a> or another trusted infosec source for guidance. We stress about these things so you don&rsquo;t have to!</p>
/Northwoods-2020/Hero-Images/Hiker-Looking-Out-Over-Mountains.pngHiker looking out over blue-tinted mountains#Begbounty hunters send emails that list various #security vulnerabilities on your website and use the language of legitimate #bugbounty programs. But they trade in fear: https://bit.ly/3ehHQGD. @northwoods #websitesecurityNorthwoods Team/Northwoods-2020/People/NWS-Bug-Grey.pngNorthwoods logo bugSenior Software Architecthttps://ctt.ac/K2vwz<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script><script>hbspt.forms.create({ region: "na1", portalId: "23630176",  formId: "40c5bbae-05a2-42ea-94dd-1662181fd56e"  });</script>/Northwoods-2020/Blogs/Social-Media-Cards/Is-that-Scary-Website-Security-Warning-Email-Legit---Social-Card.jpg?LargeIs that Scary Website Security Warning Email Legit?2021-12-29T00:00:00/Northwoods-2020/Blogs/Social-Media-Cards/Is-that-Scary-Website-Security-Warning-Email-Legit---Social-Card.jpgAn email warning of imminent disaster due to all sorts of security issues with your website hits your inbox. It includes lots of scary technical jargon, and  the sender ultimately asks for money in exchange for information. Should you send funds immediately? The quick answer: No. Here's what's really going on and how to protect your company.3621620/People/Northwoods-TeamNorthwoodsTeamYour Trusted Digital Trail Guides<p>For more than 25 years, the digital experts at Northwoods have been helping clients improve their websites, software, and digital strategy and marketing. How can we help you meet your goals?&nbsp;</p>

<p><a href="/Northwoods-2020/Services" linktype="2" target="_self">Learn more about our services</a>.</p>Northwoods Team/Northwoods-2020/People/NWS-Bug-Grey.pngAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesNWS Data ModulesTopic - NWS Data ModulesPackage Type - NWS Data ModulesPersonID - NWS Data ModulesNorthwoods TeamProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesSkillLevel - NWS Data ModulesTopic - NWS Data ModulesVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data ModulesTeamAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesNWS Data ModulesTopic - NWS Data ModulesWebsite DevelopmentPackage Type - NWS Data ModulesPersonID - NWS Data ModulesNorthwoods TeamProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesNWS DigitalSkillLevel - NWS Data ModulesTopic - NWS Data ModulesVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data Modules02024-02-20T12:19:07.76700