Group

Tuesday, February 18, 2025

Improving Security by running a Bounty Program

Khash Sajadi
Wild West Bounty Hunter

Not all companies run bug bounty programs, but anyone who's run a website for a while is familiar with emails that read like "I've found a security bug on your site. Do you have a bounty program?". Troy Hunt calls these Beg Bounties.

Should you respond? Most people ignore these emails. After all, if the sender claims to be a responsible hacker, why not disclose the issue right away. Why would they tell you about the issue only if you pay them?

As AI language generation becomes more popular, emails like these are also going to increase. They will scan websites and send emails that are tailored for your website. Let's see what the best approach can be.

Ignoring a Beg Bounty email seems the most common approach many take. I've received many email like this and I think I've had only a handful that have included anything useful. Based on that, my initial reaction would be ignoring the inbound emails.

However, there is a questions that I want to answer before deciding on the approach:

Why are there so many Beg Bounties?

"It's the Economy Stupid". There will always be people looking for quick wins by running an off the shelf script against your site and claiming to have found something profound. By doing this at scale, a return rate of 1% will pay back the minimal effort. While different in nature and intent, the economics of beg bounties is the same as spam or 419 scam.

Imagine for a minute if all bug reports we were getting were good quality, actionable security vulnerability disclosures. Would we still be ignoring them? Most likely not. The more good quality reports you get, the more likely it is you would respond to them. Conversely, as you get more and more useless reports, you're more inclined to ignore the next one.

In other words, by ignoring reports we are contributing to their decline in quality. But, don't start replying to inbound emails just yet!

Let's go back to the problem of email spam. Email spam was a real problem for a very long time. It was so bad some feared we might give up on email as it was becoming unusable. Bill Gates at one point proposed charging money for sending emails to make mass spamming economically unviable (in his proposal, you'd not accept the money from a legitimate sender but a spammer would have to pay a small amount per email).

However today spam is not a big problem. This is thanks for advanced spam filtering technology deployed by Gmail and others that made successful spamming (that reaches your inbox) very hard. If you check your spam folder, you will still see many emails but none make it to your inbox.

On the flip side, spam blockers sometime block legitimate emails (how many times have you heard "did you check your spam folder"?).

Run a Bug Bounty Program

Bug Bounty programs use economy of incentives to encourage better security reporting. However running a Bug Bounty program is not easy. For a bug bounty program you need:

  1. An advertised, secure and standardized method of reporting.
  2. A good "spam" filter to filter out random inbound alleged reports in an effective way.
  3. Encouraging good reporting practices like proof of concept, details of reproduction steps, etc.
  4. Tracking of all inbound reports with audit trails and traceability.
  5. A payment system that pays out the bounty.

Reporting

Build a page and state "in scope" and "out of scope" report criteria. Your inbound can be a form or an email.

Validate all Reports

You will receive reports (that's the whole point!) but not all of them are as valid and relevant as the rest. So you need to define a flow on how to validate them. Look or ask for proof of concept (PoC), screenshots, and other ways you can independently verify their claim.

Track and Catalogue

Many security compliance frameworks need you to have a demonstrable way to receive and respond to to inbound security reports. Unfortunately, saying "We make all inbound emails as 'spam' is not going to cut it for a SOC2 compliance".

Pay a Bounty

With reports coming from security researchers from all over the world, paying them is a lot more difficult than one might think. Many reports are valid but not worth thousands of dollars to justify making a single bespoke payment. By paying small amounts to legitimate yet non-critical reports, combined with good filtering of inbound reports, you are incentivizing better reporting. Having the system that lets you make these payments to researchers all over the globe is a challenge you will need to figure out.

Bug Bounty programs are difficult

As you can see Bug Bounty programs are expensive to run. They need dedicated manpower and active monitoring and vetting. That is why bug bounty programs are limited to very large companies. The rest of us, are left with voluntary disclosures of good samaritans and many other Beg Bounty hunters.

Back to blog