This behavior never rose above "mildly annoying". There are a lot of people out there who will check your website for the issues that they know how to find and fire off a form report letting you know.
They are really, really, easy to deal with. There are two major relevant strategies:
- Many programs put it explicitly in their bounty policy that they won't consider the output of an automated tool. This automatically blocks the lowest-effort submissions.
- All programs specify in their policy what they consider a vulnerability and what they don't. "SPF configuration" is a common exclusion.
So if you get a low-value report, it takes maybe one minute to respond with a pointer to the part of your policy that explains why you won't even bother considering the report. If flyby reports are a major issue for you - publish a policy!
(As a third consideration, for me personally, these reports were especially easy to handle because you'd see the same guy filing more or less identical reports to several programs, and after the first time, you'd already have a good understanding of exactly what the report was saying.)
The people filing these reports are doing valuable work. Some programs really do care about some of the issues they find. Most programs don't care about most of the issues - but you can hardly blame the researcher for finding out whether the issue they already have in their hand might be worth something.
When I saw the headline, I thought of a different phenomenon that bothered me more. Many researchers are very ...anxious... about the status of their reports. I saw one guy, apparently from Egypt, who regularly found real vulnerabilities in a major website and earned thousands of dollars a month in bounties. If a report came in from him, it got taken seriously.
But he was constantly asking for status updates and commitments on when a report might get paid out. This was unpleasant to deal with. On the other hand, I did also see a handful of reports fall through the cracks and go untouched for months at a time, so again it's hard to blame the guy too much.
This behavior never rose above "mildly annoying". There are a lot of people out there who will check your website for the issues that they know how to find and fire off a form report letting you know.
They are really, really, easy to deal with. There are two major relevant strategies:
- Many programs put it explicitly in their bounty policy that they won't consider the output of an automated tool. This automatically blocks the lowest-effort submissions.
- All programs specify in their policy what they consider a vulnerability and what they don't. "SPF configuration" is a common exclusion.
So if you get a low-value report, it takes maybe one minute to respond with a pointer to the part of your policy that explains why you won't even bother considering the report. If flyby reports are a major issue for you - publish a policy!
(As a third consideration, for me personally, these reports were especially easy to handle because you'd see the same guy filing more or less identical reports to several programs, and after the first time, you'd already have a good understanding of exactly what the report was saying.)
The people filing these reports are doing valuable work. Some programs really do care about some of the issues they find. Most programs don't care about most of the issues - but you can hardly blame the researcher for finding out whether the issue they already have in their hand might be worth something.
When I saw the headline, I thought of a different phenomenon that bothered me more. Many researchers are very ...anxious... about the status of their reports. I saw one guy, apparently from Egypt, who regularly found real vulnerabilities in a major website and earned thousands of dollars a month in bounties. If a report came in from him, it got taken seriously.
But he was constantly asking for status updates and commitments on when a report might get paid out. This was unpleasant to deal with. On the other hand, I did also see a handful of reports fall through the cracks and go untouched for months at a time, so again it's hard to blame the guy too much.