Ask HN: How do you deal with unsolicited bug bounty hunters?
8 by cyberferret | 4 comments on Hacker News.
I was emailed yesterday by someone out of the blue claiming to be a security researcher who 'found' a security flaw in our SaaS app. I was highly skeptical, and asked for details on the severity of the bug, plus any past references and work history regarding his bug bounty work, but he refused to give me much information until after I agreed to pay him a minimum $250 bounty. I refused to do so, but then I noticed on our 'God mode' dashboard that he created an account on our SaaS and then tried to upload an image with a malicious header as his avatar. Our system detected this, logged it an warned us, and stopped the activity. Our hunter then simply logged off and disappeared, and we terminated his account in the system. Just curious as to how other DevOps or developers out there deal with unsolicited bounty hunters like this? What is the best way to ascertain if their request is legitimate or not? How do you handle the 'chicken and egg' situation of agreeing to payment just in case they have found a valid security hole?
I was emailed yesterday by someone out of the blue claiming to be a security researcher who 'found' a security flaw in our SaaS app. I was highly skeptical, and asked for details on the severity of the bug, plus any past references and work history regarding his bug bounty work, but he refused to give me much information until after I agreed to pay him a minimum $250 bounty. I refused to do so, but then I noticed on our 'God mode' dashboard that he created an account on our SaaS and then tried to upload an image with a malicious header as his avatar. Our system detected this, logged it an warned us, and stopped the activity. Our hunter then simply logged off and disappeared, and we terminated his account in the system. Just curious as to how other DevOps or developers out there deal with unsolicited bounty hunters like this? What is the best way to ascertain if their request is legitimate or not? How do you handle the 'chicken and egg' situation of agreeing to payment just in case they have found a valid security hole?
No comments:
Post a Comment