Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
cyberax 6 hours ago

I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"

I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".

I have a pre-written reply for these kinds of messages now.

somewhatgoated 5 hours ago | parent | next [-]

I run bug bounty for a fairly large OSS project and the amount of shitty/bad actor spam/beg bounties etc we get is huge. Like 95% of the emails to security@ are straight garbage

kube-system 6 hours ago | parent | prev | next [-]

Yeah, the signal to noise ratio on vulnerability reports is very weak, especially when the initial report withholds any detail.

I get tons of these messages too and the ones that do include details are the kind of junk you get from free "website vulnerability scanners" that are a bunch of garbage that means nothing -- "missing headers" for things I didn't set on purpose, "information disclosure vulnerabilities" for things that are intentionally there, etc... You can put google.com into these things and get dozens of results.

Galanwe 6 hours ago | parent | prev [-]

From the looks of it, they actually asked for a way to report.

bdangubic 6 hours ago | parent | next [-]

email security@company

pcthrowaway 5 hours ago | parent [-]

Sure that is perhaps a good way to inquire about the appropriate channels to disclose a security vulnerability, but email is not a secure communication method for sending the details about a security vulnerability

Terr_ 2 hours ago | parent | next [-]

It's kind of insane to think that the state of email encryption is still so bad in The Future Year 2026.

No flying cars? Okay. Nobody traveled much beyond the orbit of the Moon? Dang. But email? We didn't even get reliable privacy separate from identity?

cyberax 2 hours ago | parent [-]

> Nobody traveled much beyond the orbit of the Moon?

Oh, don't think that outer space will let you escape the misery of email:

> "I have two Microsoft Outlooks and neither one is working": Artemis II astronauts

bdangubic 3 hours ago | parent | prev [-]

start there and handle everything once you get in contact with appropriate people

cyberax 6 hours ago | parent | prev [-]

Yeah. I'm just saying how it could have been overlooked. Doesn't excuse it, though.