Beg Bounty Hunters and Bug Bounty Programmes

A responsible disclosure programme or ‘bug bounty programmes’  is where ethical hackers or security researchers scan your website, find a vulnerability that puts you at risk and ask for compensation to fix the issue.  Even the likes of Facebook, Yahoo, Google, Reddit, and Microsoft have responsible disclosure programmes so that vulnerabilities can be fixed quickly and discreetly. Whereas the majority of responsible disclosure programmes are important to maintain security within the internet, there will always be those unethical bug bounties known as the ‘beg bounter hunters’ who email you easily found issues in the hope of making a quick euro.  Such beg bounter hunters are not worth paying an agreed amount as such issues could have been spotted by IT for your company or are not a legitimate vulnerability.

Examples of beg bounties that we have come across are broken DMARC ((Domain-Based Message Authentication, Reporting and Conformance) records, a missing CSP and broken SPF records.

DMARC Bounties

We were contacted by a bounty hunter just before Xmas asking us for a DMARC bounty. DMARC Bounties are not legitimate bounties and are recognised as beg bounties as they are easily found. However, by not having your DMARC configured correctly, it does make your domain and organisation vulnerable to phishing attacks and impersonation targeting your employees and customers, therefore we do recommend that companies secure a DMARC by default.

How To Secure A DMARC

DMARC is the number one foundation layer for email and domain security and will secure your organisation.

A DMARC (Domain-Based Message Authentication, Reporting and Conformance)” p=reject” policy will ensure all your malicious email is stopped.

To secure your DMARC vulnerability, you should contact your IT Provider or your hosting provider to see what needs to be done.

See the following links for more information and online tools to help you create a DMARC record.
https://dmarc.org/ & https://dmarc.org/resources/deployment-tools/