Few days ago I started receiving concerning email directly to my work email address, the email was from a so-called bug bounty hunter that was claiming to have found a vulnerability in one of our products, the email was very generic and it was not clear what was the vulnerability, the only thing that was clear was that the person was asking for money to disclose the vulnerability.
In this article, I will share with you my experience and why you should be careful when you receive such emails.
Fear Mongering and Fake Vulnerabilities Reports
The Fearmongering is a form of manipulation that is used by some bad actors especially in the security industry to create fear and doubt in the minds of people that are not security experts or even less technical people, the goal of this is to get money from the victim by creating a sense of urgency and fear.
The fake vulnerabilities reports are usually automated emails that are sent to a large number of people.
Are the Vulnerabilities Reports Real?
The short answer is no, the long answer is that it depends, most of them if not all of them use automated tools to scan for vulnerabilities, such as Nikto, Nessus, and others, although these tools are very good for a quick scan, they are not enough to find real vulnerabilities and more often than not they will give you a lot of false positives.
If you have never used these tools before, you can try them yourself and see how many false positives you will get, maybe you will get some real vulnerabilities but most of them will be low or medium severity vulnerabilities that are not really a big deal to your business.
The Email
Any security expert will give proper details about the vulnerability and at least his name and the company he works for, also finding a vulnerability but the vulnerability that leads to actual exploitation is very rare, and requires a lot of time and effort.
Why You Should Not Pay
Unless you can verify that the vulnerability is real and it can be exploited and the person that found it is a real security expert, you should not pay.
According to Chester Wisniewski from Sophos, there are reports that paying beg bounties leads to escalating demands for higher payments, one organization apparently said it started out at $500 and then, as further bugs were reported, the senders quickly demanded $5,000 and were more threatening.
The bottom line
If you receive such emails, you should not panic, and you should not pay, at most scan your website and update all your software and plugins, ask an expert friend or security forum and subreddit to help you.
Security is the most important thing in any business and with the recent increase in cyber attacks, it is important to be careful and not fall for such scams, but it should be a reminder to always keep your software up to date and adopt a security-first mindset.
I hope this article was helpful, if you have any question or suggestion, feel free to reach out to me on :
- By email at [email protected].
- If you want to know more about me, you can check out my about page.
You can use my articles with no cost or attribution, feel free to edit them and make them your own.