@fionafokus I've been getting (about maybe three a week?) emails asking me if I have a bug bounty that looks suspiciously generated-ish, and they never actually describe what the bug is.
annoyingly it seems like the concept around paying for bugs has unsurprisingly become highly motivating for people (either with little clue or care) to just run basic things (like what an uninspiring compliance 'pen test' would do) and demand payment for essentially entirely noise (as is most are those automated reports)
I've not seen a real good answer for this, because on one hand I definitely want people to be paid for discovering bugs and going through the process. On the other hand, doing so invites such a huge amount of crap that it's now an entirely separate job on its own to simply triage the inbox for this.
I can totally see why apples bug program is invite only
@benjojo @fionafokus you don’t want to know how many people reported to us that http://ftp.bit.nl is an open FTP server. The warning message there doesn’t help, and when you point it out they still ask for a reward for their ‘hard work’…
We also see the automated mails which ignore everything you put in your security.txt and just ask if you have a reward program. No actual report is ever submitted by them though.
ChrisD
fiona
haluzinelle bin chicken nicole
benjojo
Teun Vink
Russ Garrett