> Want to be a bounty beggar? It's dead simple, you just use tools like Qualys' SSL Labs, dmarcian or Scott Helme's Security Headers, among others. Easy point and shoot magic and you don't need to have any idea whatsoever what you're doing!
I'm too tired of the current scareware industry to write more.
The sad part is real security issues can get lost in the noise...
Nowadays I tend to more rely on tech news to hear when there's an actual serious vuln I need to address.
(Note I'm not advocating everyone do this. Do your own risk assessment).
But those tend to be against journalists and activists.
What threat model you operate under is a nontrivial problem.
But even in 2025, I have come across companies who do not at all care about rewarding good security researchers who report issues. Hell, I have even been ghosted after reporting the bug which they promptly fixed and did not even write back to say a "thank you". Has anyone else also encountered this behavior from tech companies? (not talking about a non profit, hospital or gov agency here)
As you note, the field has been damaged by bounty hunters. When the SNR drops low enough there's no point even reading the damn things and high-quality reports will be discarded along with the dross.
I'm sorry that the security industry is a cesspool. We all know it's a cesspool. We can't pump it out.
However, please do not let the absolute state of things cause you to give up on security. Don't stop patching, don't go back to writing your passwords on post-it notes, don't just expose everything to the open internet and don't let an LLM perform your only code security review. Keep doing the boring, basic things, and you'll have the best chance at keeping the attackers out.
Ultimately security is a chore, like showering or visiting the dentist. And there are always going to be people telling you that you absolutely must apply deodorant to your groin or that you can avoid the dentist by rinsing with apple cider vinegar. Ignore them, and just keep doing the basics as well as you can.
Please send me $12,000 dollars.
Wrong place, did not read. Here go the ``security researchers'' begging/threatening for money.
~ $ whois -h whois.abuse.net ftp.bit.nl abuse@bit.nl (for bit.nl)
So if hypothetically I would find a .csv file with emails, names, dates of births and addresses on this website, I should not send an email because it can't possibly be a data leak.
abhisek•4h ago
NicolaiS•2h ago
worthless-trash•1h ago
To: abuse@yourdomain.com Subject: Bug bounty , PII data made available port 22. Please provide bug bounty for critical software flaw.
Issue description
This is critical, exploitation of the ftp server provides source code to a popular debian server allowing attacker to sidestep usual reverse engineering procedures required to attack a system. (Authentication Bypass).
I will release this bug in thirty (30) days if no bug bounty has been granted and attackers will be able to take full advantage of this problem.
Reproducibility
This issue is trivial to reproduce, with popular hacking tools such as ftp and internet explorer.
Bounty value
Please be mindful and understand that this research takes up many hours and bugs like this can fetch up to $25,000 on popular bug bounty programs ( https://www.hackerone.com/ ).
samlinnfer•1h ago
ChrisMarshallNY•1h ago