1. 24
  1. 13

    I think until you’ve been in the loop of a security reporting/response group, it’s hard to understand the signal/noise ratio of such things. Even before you get to the kinds of edge-case “is it a security issue or not” reports like the one described here, there’s often just tons and tons of low-effort stuff – many reports come from people who have only minimal understanding and are relying on (bug-prone and false-positive-prone) automated scanners in hopes of a bug bounty payday.

    1. 9

      It’s even harder for a library. I agree that the bug in question is not a security vulnerability in libcurl, but it might be a security vulnerability in a program that is using libcurl.

      1. 7

        I worked at an e-commerce company for a few years and tried to “do the right thing” and put a security@(website).com e-mail on our contact page for white hats who wanted to report any issues found. Within hours we were getting a constant stream of support emails and other correspondence which had nothing to do with security. It was quickly removed.

        1. 5

          I deliberately don’t add DMARC on my domains, because beg bounty scanners flag it as an issue, and I can immediately block anyone who mentions lack of DMARC to me.

          1. 2

            Don’t get me started on people who report the “urgent” “critical” security vulnerability of “my scanner didn’t like your domain’s DMARC/SPF”.

            1. 1

              uh that’s an interesting approach - I know of providers who don’t use SPF and DMARC for technical reasons (and use a giant IP whitelist)

              I did something similar for some time: set up a mail server and block every incoming login attempt, because I don’t have incoming email on that host at all

            2. 3

              Yeah, people using it as a support channel is a thing, too.

              Also the incredible amount of spam, but you can’t really spamfilter a security inbox that heavily or you might miss something legit.

            3. 1

              I had the same experience when the parent company of the one I worked for decided to instate a HackerOne bug bounty. The sheer number of useless reports made it difficult to properly address the actual vulnerabilities, IIRC we got 1 actual vulnerability every 20 reports.

              I’m not sure if that’s indicative of the whole public bug bounty industry, but after that experience I no longer want to run one and especially I do not want to have anything to do with HackerOne.

              1. 2

                It’s pretty common to get that kind of spam, it doesn’t have to do much with H1 itself - they just make the bounties easier to discover. You can actually pay them to get things screened for you so you get a much more reasonable list. I was happy with that result.