Unfortunately we also started receiving this claim shortly after creating a SECURITY page, based on this I've just decided to replace our email with a link to our online contact form so we can be reached without disclosing our Email, hopefully that is enough to prevent automated email systems.

I too don't think you should have a `security.txt`, but in, meh, 5 years of fielding bad bounty reports for various companies for various reasons, I've never seen someone appeal to their sick mother or their college fund. I usually get one additional ask after I say "no", and then they move on.

I'm not sure I see the reputational risk you face here, since we all know the score on these reports. What are they going to do, tweet that you have an inadequate SPF record?

> What are they going to do, tweet that you have an inadequate SPF record?

Heh, well, given that I run an e-mail hardening platform, our customers rely on our consulting on how to (amongst other techniques) set an adequate SPF record. So, in my specific case, this would actually be bad publicity.

But what I meant was that for serious security issues, white hat hackers often do a writeup, as part of the public incident report. These often contain timelines. If it contains "contacted security@company.com, but got no response", this will make you look bad. This is what I meant with the reputation risk.

I guess my point is that it's only a risk if they're finding real vulnerabilities, and if that's what they're doing, our sympathies should be recalibrated. (Obviously, I think it's most likely that they're not finding real bugs).

The problem described is:

- scammers blasting sob stories at the security contact

- real security researcher finding something, reaching out to security@

- real researcher ending up in the spam bucket

- real researcher complaining that they got no response

That's not what's happening. If you're missing real bounty reports because you can't pick them apart from bogus SPF-type reports, that's on you. We've all had something like 10 years of experience fielding bounty reports and the one unmistakable dominant theme of everyone's experience with them is that almost all of the rando inbound reports are junk. Every competent security@ practice handles them just fine.

It's annoying, but frankly what can you really expect? Bounties are spec work. I think spec work is fine, and that designers are mostly wrong about pushing back on it (it's a norm in all sorts of professions) but I'm sure as hell not going to get up on a high horse about the quality of my spec submissions. If I want to cultivate an expectation of high-quality reports, I retain consultants, or run a Google-style program with nosebleed-high payouts for sev:med bugs.

The people we're talking about are spraying and praying for $50 bounties. They're not getting in the way of anyone's RCE report.

The researchers who get no response from valid bugs are running into vendors who run bad software security practices. That's not the fault of low-skilled amateur researchers.

Why not have a specific web form on your contact page that says "report a bug" that takes 1) contact email, 2) example compromised data (if any), 3) steps to reproduce, and 4) description of the bug.

A contact page that has a form to be filled out with an auto response stating that there is no bounties paid out, but all bug reports are read.

Any downsides? Full disclosure, I have not maintained the code on a website or server before.

You need to answer arbitrary, informal emails to `security@` no matter what. You can't impose a protocol on top of that. Serious security researchers can reasonably blow off coordination with you if you get fussy with it.

I feel like every 2-3 months a blog post rockets to the top of HN where a hacker discloses a vuln and says “I reported this to $company 10 months ago and it is still present in the most recent version of $OS”. If it’s AppAmaGooSoft they can take the hit (especially if it turns out to not be that bad) but I imagine for a smaller company (like one of the more indie cloud hosts) that could be damaging to their reputation among the folks who hang out here (many of whom purchase cloud hosting and other tech stuff).

Let me put it this way: I've never seen one of these beg-bounty people publicly shame a company for not fixing their SPF records. I think the reason for that is that it wouldn't work, but either way: it's not a real threat.

I don't even see evidence of the threat being made!

IMHO, what looks bad is when the company responds and asks for more time and more time and doesn't seem to be doing anything concrete. That shows lack of communication and coordination which looks worse than maybe missing one email or customer service request. Email doesn't always get delivered and customer service requests don't always get read by people who are empowered to do anything about it. If there's a pattern of not acting on emails, that may be different.

All that said, security reputation doesn't seem like super important. I'm having trouble thinking of companies that have failed because of poor reputation in that area, despite having a desirable product otherwise. I'm not suggesting not to care about security, just that worrying about your reputation shouldn't be on your list of worries. Given that as an industry, we're still making the same security mistakes over and over, trying your best and learning from previous mistakes is a pretty good baseline. You can still get relative praise for reacting quickly and effectively to reports that are made public, even if you missed the early warning.

Worse, I've had a few of these beg bounties transition from sob stories to death threats after we rejected things again.

I've also had the experience of running a bug bounty program through a platform like Hackerone/Bugcrowd. It's the same exact shit. Awful.

I was thinking about deploying some security.txt on our sites and your experience occurred to me, it is sort of like hanging a fishhook out there for all sorts of automated spamming.

>if you are a legit white hat hacker

There's no such thing in my book.

There are, however, legitimate security researchers and consultants. If you are one of these and have a service you want to provide, then get in touch with me like everyone else and make your pitch. Get my permission to provide your service, instead of just "providing" it then sending me what feels like extortion threats to buy it.

I know that's not a popular opinion here, but IMO that idea is part of the problem, and exactly why the concept is so ripe for (and rife with) abuse.

I don’t know that I agree with looking at it that way. I find significant security vulnerabilities on sites from time to time (I have some modest security background but it isn’t my day job). I’m neither a security researcher or some kind of white hat hacker, just a concerned technically literate netizen.

I have no interest in a bug bounty, I just want to see holes get patched.

I’m not looking to provide some service, and I’m not actively probing for issues, I’m just letting people know that they’ve left their door open…

I hear you. But, I was referring to the term "white hat" in the context of this thread. Maybe I should've better clarified that.

So, the activity you're speaking of isn't what I had in mind. If you've discovered something that you freely report to help operators secure vulnerabilities, then that's one thing. But, this "business" of targeting companies uninvited, then requesting payment creates shady scenarios at best.

Many times, you have no idea who these people are or affiliated with, and whether they will exploit or sell this info on the black market if you don't pay them. You also don't know if it's the beginning of a drip, whereby they just continuously target you for one-off "payment requests" on other issues.

There's very much a predatory feel about it. If people want to offer a service for something this sensitive, important, and reliant on trust, then come through the front door and be transparent about what your service provides and how much it costs.