I think until you’ve been in the loop of a security reporting/response group, it’s hard to understand the signal/noise ratio of such things. Even before you get to the kinds of edge-case “is it a security issue or not” reports like the one described here, there’s often just tons and tons of low-effort stuff – many reports come from people who have only minimal understanding and are relying on (bug-prone and false-positive-prone) automated scanners in hopes of a bug bounty payday.
It’s even harder for a library. I agree that the bug in question is not a security vulnerability in libcurl, but it might be a security vulnerability in a program that is using libcurl.
I worked at an e-commerce company for a few years and tried to “do the right thing” and put a security@(website).com e-mail on our contact page for white hats who wanted to report any issues found. Within hours we were getting a constant stream of support emails and other correspondence which had nothing to do with security. It was quickly removed.
I deliberately don’t add DMARC on my domains, because beg bounty scanners flag it as an issue, and I can immediately block anyone who mentions lack of DMARC to me.
uh that’s an interesting approach - I know of providers who don’t use SPF and DMARC for technical reasons (and use a giant IP whitelist)
I did something similar for some time: set up a mail server and block every incoming login attempt, because I don’t have incoming email on that host at all
I had the same experience when the parent company of the one I worked for decided to instate a HackerOne bug bounty. The sheer number of useless reports made it difficult to properly address the actual vulnerabilities, IIRC we got 1 actual vulnerability every 20 reports.
I’m not sure if that’s indicative of the whole public bug bounty industry, but after that experience I no longer want to run one and especially I do not want to have anything to do with HackerOne.
It’s pretty common to get that kind of spam, it doesn’t have to do much with H1 itself - they just make the bounties easier to discover. You can actually pay them to get things screened for you so you get a much more reasonable list. I was happy with that result.
I think until you’ve been in the loop of a security reporting/response group, it’s hard to understand the signal/noise ratio of such things. Even before you get to the kinds of edge-case “is it a security issue or not” reports like the one described here, there’s often just tons and tons of low-effort stuff – many reports come from people who have only minimal understanding and are relying on (bug-prone and false-positive-prone) automated scanners in hopes of a bug bounty payday.
It’s even harder for a library. I agree that the bug in question is not a security vulnerability in libcurl, but it might be a security vulnerability in a program that is using libcurl.
I worked at an e-commerce company for a few years and tried to “do the right thing” and put a security@(website).com e-mail on our contact page for white hats who wanted to report any issues found. Within hours we were getting a constant stream of support emails and other correspondence which had nothing to do with security. It was quickly removed.
I deliberately don’t add DMARC on my domains, because beg bounty scanners flag it as an issue, and I can immediately block anyone who mentions lack of DMARC to me.
Don’t get me started on people who report the “urgent” “critical” security vulnerability of “my scanner didn’t like your domain’s DMARC/SPF”.
uh that’s an interesting approach - I know of providers who don’t use SPF and DMARC for technical reasons (and use a giant IP whitelist)
I did something similar for some time: set up a mail server and block every incoming login attempt, because I don’t have incoming email on that host at all
Yeah, people using it as a support channel is a thing, too.
Also the incredible amount of spam, but you can’t really spamfilter a security inbox that heavily or you might miss something legit.
I had the same experience when the parent company of the one I worked for decided to instate a HackerOne bug bounty. The sheer number of useless reports made it difficult to properly address the actual vulnerabilities, IIRC we got 1 actual vulnerability every 20 reports.
I’m not sure if that’s indicative of the whole public bug bounty industry, but after that experience I no longer want to run one and especially I do not want to have anything to do with HackerOne.
It’s pretty common to get that kind of spam, it doesn’t have to do much with H1 itself - they just make the bounties easier to discover. You can actually pay them to get things screened for you so you get a much more reasonable list. I was happy with that result.