Is soliciting money/rewards for 'responsible' security disclosures when none is stated a thing now?

I just got this in my e-mail...

Better known as Beg Bounties.

It's a thing.

I've gotten similar spam a number of times over the years (though people
offering to do SEO on my site are much more frequent).

The odd thing is - as far as I know, I don't *have* a website....

This is typical "Beg bounty".

This probably isn't even that. I've seen a bunch of similar spam to
various role accounts, some at domains that don't even have a website,
in the last month or so.

Several contained "real names" of alleged security researchers that
did not seem to exist in the real world.

It is worth remembering that bad guys may be interested in collecting
the e-mail addresses of people who are responsible for security within
your organization. These could be used to target those people with
malware, or to forge legitimate-looking e-mails "from" your security
department to your other employees.

It is likely that no good can come of engaging with these.

... JG

I had a situation like that a few years ago.

Someone accidentally included the .git directory in a docker image that was deployed to a customer’s website.
Unfortunately early checkins of the .git directory included a copy of the WordPress (yuck!) config file with hard-coded passwords. Those were moved to environment variables, but never changed. And for some reason the “developer” left indexing turned on. So the person was able to download the git directory and walk back through the history and found the passwords…and then connected to the database which had some mild PHI (first names and phone numbers).

Since the tech contact for the domain came back to my company and not the developer, they reached out to me. After a few pleasant emails back and forth he told me exactly where he found the passwords. I rotated passwords and yelled at the developer, and thanked the guy who found it. He kindly asked if I would “donate” to him by buying something from his Amazon wishlist. I should note that he asked after he told us exactly what the problem was.

I discussed it with the client and they picked some ~$400 item from the list and sent it to him.

It could have been worse, but everyone involved agreed that it would be nice to reward the guy for pointing out the blunder.

$400 was a small price to pay for the client since they do something like $10 million USD per month. After that the client paid for a full security audit of their web presence by a 3rd party company and everything came back clean.

Do what you think is appropriate, but I’m all for encouraging responsible and positive disclosure as well as being kind. If the guy had started the email with “send me money or else I’ll disclose” the entire process would have been very different.

-A