Dear "Security Researchers"
85 comments
·April 29, 2025junon
Reminds me of working on Chalk (JavaScript terminal coloring library).
My first foray into "beg bounties" was with Chalk. We received a report that inputs that contained malicious terminal escape sequences would be emitted to the terminal if passed through chalk.
But... yeah, of course they would. It's just a glorified string formatter, we don't care what you pass to us. They would have been emitted anyway if you just used console.log. There was literally nothing actionable for us to do. It wasn't our responsibility.
It wasn't just left there. The "researcher" persisted, threatening to file a CVE (which wreaks havoc on an OSS dependency such as Chalk that has millions of downloads a day) and kept swinging their proverbial member around with how they work for soandso esteemed research company (it wasn't) and ultimately demanded we compensate for their time, citing it as a responsibility and obligation.
I would have ignored it, but the threat of CVE (and the fact we'd have literally zero recourse against it) kept me on the hook.
Ever since then it's really watered down my view of the CVE/CVSS systems and has turned me a bit bitter toward "security researchers" in general, which isn't where I'd like to be.
With the rise of automatic ReDos detection the problem has only compounded over the last 4-5 years - things that might even technically fall under the "vulnerability" umbrella, but only if the code is so intentionally and egregiously misused, and in a manner that is dangerous with any library let alone ours, still earning a plea for monetary compensation.
It's silly, saddening and only discourages people to work on OSS stuff at a scale larger than hobbies, to be honest.
(Thank you for coming to my TED talk)
EDIT: I should mention that I have received legitimate reports by well-meaning researchers (no quotes) that are detailed and professional in nature I'm always proud to service them and see them through. They're increasingly rare, though. The downside is that doing OSS for free means I still cannot compensate for their time, even though I would love to.
klabb3
Wow. On the other side of the table, for system owners it dilutes the meaning of CVEs and causes alarm fatigue. I have a friend who says his npm logs are full of scary CVE/security vulns that are not relevant. The cost of upgrading is high, often breaking changes due to average js package quality, and the only reason is to suppress a spurious warning.
The thing security people refuse to accept though, is that security isn’t a paramount business concern, even if management understands the real risks. Stolen customer data is often followed by an apology and password reset request. Nobody cares, especially in a world where personal and private data no longer exists. Restore from backup, and move on.
Should it be that way? No. But it is. It’s not a security or awareness problem, it’s a business/culture problem. You can’t fix a broken engine with a better taillight.
ahartmetz
What are the consequences of a crap CVE with a vulnerability score of roughly 1 out of 10?
junon
ReDos often get 7 or above since they can be "network accessible" (anything can be). CVSS is broken.
And yes, people who get scared file reports asking us to fix it, oftentimes we can't (because it's not a real vuln), and 99% of the time they're not even remotely affected. The requests are generally not very nice, either.
Most of the time, the request to fix a CVE is the first we've ever heard of it being filed. "Security research agencies" oftentimes have their own databases, and rarely do these "researchers" follow any amount of responsible disclosure, let alone even telling us about their findings or that they've filed. Many of them don't even cite a reporter, email, or any such contact information.
Especially when the CVE is nonsense, improperly scored, etc. there is almost no way to get it taken down or to reduce its severity. Apparently in the eyes of these agencies the people writing the code cannot adequately gauge the severity of vulnerabilities. It's nearing levels of almost zero collaboration with maintainers before things are filed.
I can't remember the last time I even had the opportunity to release a proper fix before a CVE went out. I can count on one hand the number of times I was asked before a CVE was filed. I don't think a single CVE of any code I maintain has had a score that properly reflected the severity of the actual vulnerability (assuming there even was one).
Remember, most of us do this in free time, for free. So all of the extra bureaucracy and synthesized urgency can be extremely detrimental.
SSLy
inbox / github issue spam
K0balt
Your front door is accessible to the public. Without a fence around your yard and a guard at the gate, bad actors could get access to your front door and exploit any number of door vulnerabilities, including a chainsaw or battering ram.
Please send me $12,000 dollars.
sph
This is exactly what happens whenever you publish a website online, with so called "ethical hackers" finding minor vulnerabilities, hoping to get paid for running a script. See also https://www.troyhunt.com/beg-bounties/
shawabawa3
My favourite one that i've seen 4 of 5 iterations of, is people claiming about a privilege escalation or authentication bypass bug, then their reproduction is a convoluted way of doing:
1. Log in with admin credentials
2. Copy the session cookie
3. Run curl command using above session cookie
4. You have bypassed authentication!!
grishka
Your end-to-end encryption is compromised because I can read the messages directly from your app's local database in plaintext on a rooted device.
sim7c00
i am sorry this was already disclosed by our internal security team. thanks for your report but you will not be eligible for the bounty payout.
klabb3
Don't trust this person, it’s a scam. A real security consultant would have mentioned defense in depth and offered you a discount on their WAF offering.
leftcenterright
Beg bounty hunters have damaged the field so much.
But even in 2025, I have come across companies who do not at all care about rewarding good security researchers who report issues. Hell, I have even been ghosted after reporting the bug which they promptly fixed and did not even write back to say a "thank you". Has anyone else also encountered this behavior from tech companies? (not talking about a non profit, hospital or gov agency here)
xx_ns
Yes.
I'm a security researcher - no quotes. I write detailed, highly technical write-ups for all of the issues I discover, including reproduction steps, root cause analysis and suggestions for fixes. I follow all responsible disclosure guidelines + any guidelines that the company or entity might have for security disclosures.
It's disheartening when you put this amount of effort into it, it gets silently patched, and you get no recognition or even a "thank you". But I don't let it bother me too much. I'm doing this research mostly for myself and because I find it interesting. The fact that I'm disclosing the issues is me being a good citizen, but I shouldn't expect a pat on the head for every issue I disclose.
Being ignored always sucks. But it's still infinitely better than doing all of the above and being threatened with a lawsuit (which has, unfortunately, happened as well).
bashwizard
Companies like that needs to be outed so that no one will ever go any testing whatsoever for them in the future.
dcminter
Without feedback you don't know that the bug was fixed in reaction to your bug report. It might have been - but unless they explicitly invited bug reports in return for something then it's at worst bad manners not to acknowledge in that case. Debatably poor self-interest on their part as well.
As you note, the field has been damaged by bounty hunters. When the SNR drops low enough there's no point even reading the damn things and high-quality reports will be discarded along with the dross.
leftcenterright
> Without feedback you don't know that the bug was fixed in reaction to your bug report.
In this particular case, they did say they will consider a reward for a severe bug (it was severe, DNS hijack) and then once I shared details, the next day I checked, they had fixed it and never wrote back.
cinntaile
Next time you find a bug there you sell it to the highest bidder. Or maybe not you, but someone will do that. It's not really a winning strategy...
I did not know bug bounty had such a bad rep. Is this for reporting bugs outside of the bug bounty platforms?
entuno
Yeah, it's pretty common. Some years back I reported a stored XSS vulnerability in an online marketplace with hundreds of thousands of users - a proper writeup with HTTP requests, proof of concept, impact, etc. No mention of bounties/rewards or anything like that - just a vulnerability report.
I made multiple attempts to report it to their security team/mailbox over a several months and never got any response or acknowledgement back from them. Then a few months later they quietly fixed the issue.
ghusto
Yup. I reported what I considered to be a serious security flaw to a _security company's_ product. They wrote back (since I was a paying customer), telling me that it wasn't a security issue. A few weeks later they had patched the totally-not-a-problem thing.
klabb3
> Beg bounty hunters have damaged the field so much.
Sure, the grifters themselves are guilty too. But hear me out: maybe the corporate geniuses who decided to crowdsource security using non-contractual if-we-feel-like-it bounty payments could have contributed to the grifting culture.
> Hell, I have even been ghosted after reporting the bug which they promptly fixed and did not even write back to say a "thank you".
Just curious, why perform labor without a contract? If it’s just for personal interest, I wouldn’t even bother to report unless the company has something to offer first.
nottorp
"An attacker COULD if the stars align right EXPLOIT ..."
I'm too tired of the current scareware industry to write more.
The sad part is real security issues can get lost in the noise...
davedx
For sure. I've worked at orgs where we disabled package vulnerability scanners because they created a constant stream of upgrading busywork. So many "vulnerabilities" are things like "JavaScript prototype pollution in this package that does something in your build toolchain". So much noise and so very little signal, the incentives of these scanning and vuln tracking companies just aren't aligned well I don't think.
Nowadays I tend to more rely on tech news to hear when there's an actual serious vuln I need to address.
(Note I'm not advocating everyone do this. Do your own risk assessment).
saagarjha
Note that tech news is biased towards flashy or relatable security issues. Nobody is going to n-day your phone (though you should, of course, keep it up to date). It's your Drupal you should worry about.
capitol_
With that said, there is a long and proven track record of attacks on phones.
But those tend to be against journalists and activists.
What threat model you operate under is a nontrivial problem.
broodbucket
The issue is that understanding what is actually exploitable and what is actually a part of your threat model is difficult, it's a pretty high bar, a bar not met by most people that typically have decision making power around a product or service. It's a huge problem but it's not particularly easy to fix so it's pretty obvious why the industry has taken the route of deciding certifications and scans = security and that vulnerabilities only exist if they have a CVE assigned, and anything with a CVE assigned must be an actual problem.
nottorp
I read it as "certifications and scams" :)
Avamander
I will not spend time figuring out your setup and threat model, I'll tell you that it might be exploitable. If you want someone to do that, pay them.
nottorp
But you will spend time sending threatening emails with COULD and MAYBE? :)
elternal_love
The stars do align, more often then you would believe.
junon
No, they really don't. Exploits are rare, relative to the amount of code being run. And most "threats" are discussed absolutely, instead of relative to a threat model and mostly devoid of any context.
AlienRobot
I had someone argue that Wordpress had terrible security.
The only CVE's it had for 2 years only happened if you allowed random users to sign up.
There is a firewall plugin and basically the only thing it does is check if you have outdated plugins and log all the times a bot tried to log in by going posting user:admin password:admin to /wp-login.php. It's rare but a few of them tried my domain name as username instead. It sends me e-mails about new vulnerabilities found, and it's always some plugin. Sure, some of them are "installed" in thousands or millions of websites, but it's never anything in the Wordpress core itself.
If you hide /wp-login.php and avoid dependencies, it's practically impenetrable since it has to be the most battle-tested CMS out in the wild, and yet people swear it's Swiss cheese of security holes.
hcrean
xml-rpc.php paid for my pool... but I freely admit to a degree of "because the scanner said so".
thunderfork
"WordPress is fairly secure as long as you don't use any extensions and don't let arbitrary users sign up" is technically true, but it's no surprise that a lot of WordPress use cases collide with these two things.
For example, a WooCommerce site is both more sensitive than a blog and more likely to have sign-ups open and functionally necessary additional plugins running.
For better and for worse, WordPress is the ecosystem, not just the software itself.
JohnKemeny
Related: "AI generated security reports about curl". 371 points on Jan 2, 2024, 121 comments.
re
The notice on ftp.bit.nl predates ChatGPT. Perhaps more relevant: "Beg Bounties" 280 points, Nov 8, 2021, 104 comments https://news.ycombinator.com/item?id=29147555
> Want to be a bounty beggar? It's dead simple, you just use tools like Qualys' SSL Labs, dmarcian or Scott Helme's Security Headers, among others. Easy point and shoot magic and you don't need to have any idea whatsoever what you're doing!
lcnPylGDnU4H9OF
Alternatively to bounty begging, one could use these tools to find vulnerabilities and then try to figure out why it is a vulnerability and how it might be practically exploited. Seems like a good way to learn real security research. (Don’t actually exploit it, though...)
a3w
404 for both of https://ftp.bit.nl/.well-known/security.txt https://ftp.bit.nl/security.txt
Wrong place, did not read. Here go the ``security researchers'' begging/threatening for money.
proactivesvcs
And they wouldn't think to:
~ $ whois -h whois.abuse.net ftp.bit.nl
abuse@bit.nl (for bit.nl)
blueflow
Where do domain owners specify that address so that this service can answer these queries?
devttyUSB0
fixed it. thanks for pointing that out.
sleepyhead
"Security Researchers" does not know security.txt exists anyways.
praptak
Dear sysadmin for YCOMBINATOR,
Critical vulnerability on port 80: an attacker could exfiltrate all comments posted therein. Please provide a bug bounty for this critical vulnerability.
Cthulhu_
To add, I was able to publish messages with malicious content and it displayed without filters. This is very damaging to children.
The proof of concept malicious content: cross the road on red.
Please think of the children!
piecelyJohn
I’m convinced that the cybersecurity and security research industry is largely a pass-the-blame market. And honestly, that's not a bad thing — it's smart and even necessary. If a publicly traded company suffers a security breach, they can say, "We hired [security firm] to harden our systems — if something went wrong, it’s on them." This way, the company deflects blame, protects its reputation, and keeps shareholders satisfied. All-in-all not a bad strat
gnfargbl
The side effect of this process is that if [security firm] is doing their job then the systems do actually get hardened and the number of breaches is reduced as a result. In other words, this machine works as intended.
A common challenge is assessing whether [security firm] did actually do their job, or whether there just weren't any tigers around here in the first place. Hence, SOC2.
UncleMeat
Its unfortunately even worse than that, in my opinion. Security is making computers not do things. Software engineers spend much of their day trying to make computers do new things. It is almost necessary that security work adds friction to other work.
So not only is it often difficult to measure the actual impact of a security mitigation, it is often possible (or even easy) to measure the friction caused by a security mitigation. You really need everybody to believe in the necessity of a mitigation or else it becomes incredibly easy to cut.
dustingetz
TSA theatre, america fuck yeah
OsrsNeedsf2P
I can only imagine the frustration of Debian maintainers. It's so hard to remain positive and welcoming after years of abuse
TonyTrapp
Just to be clear, this isn't a note from the Debian maintainers, but from the company that runs a mirror for various projects.
mtmail
Same happens to us regularly. Server called 'downloads', in a directory 'public' whose homepage has the text 'this is a public server with files for very everybody to download'. There's even a file 'all-files-are-open-and-public-not-company-secrets.txt' in the directory.
fusslo
I'm at work and a little afraid of clicking on the 'pr0n' folder :)
ri0t
Got you covered. All sfw, just the filenames are a bit offensive, if you speak dutch. It's like that "two naked tits/boobies" (the birds) joke and others.
croemer
Those are joke pictures, try this one: https://ftp.bit.nl/pr0n/pussy-fisting.jpg
Dear System Owners,
I'm sorry that the security industry is a cesspool. We all know it's a cesspool. We can't pump it out.
However, please do not let the absolute state of things cause you to give up on security. Don't stop patching, don't go back to writing your passwords on post-it notes, don't just expose everything to the open internet and don't let an LLM perform your only code security review. Keep doing the boring, basic things, and you'll have the best chance at keeping the attackers out.
Ultimately security is a chore, like showering or visiting the dentist. And there are always going to be people telling you that you absolutely must apply deodorant to your groin or that you can avoid the dentist by rinsing with apple cider vinegar. Ignore them, and just keep doing the basics as well as you can.