Is soliciting money/rewards for 'responsible' security disclosures when none is stated a thing now?

Joe Greco jgreco at ns.sol.net
Sat Mar 5 00:15:09 UTC 2022


On Fri, Mar 04, 2022 at 11:33:47PM +0200, Denys Fedoryshchenko wrote:
> This is typical "Beg bounty".
> https://www.troyhunt.com/beg-bounties/

This probably isn't even that.  I've seen a bunch of similar spam to
various role accounts, some at domains that don't even have a website,
in the last month or so.

Several contained "real names" of alleged security researchers that
did not seem to exist in the real world.

It is worth remembering that bad guys may be interested in collecting 
the e-mail addresses of people who are responsible for security within
your organization.  These could be used to target those people with
malware, or to forge legitimate-looking e-mails "from" your security
department to your other employees.

It is likely that no good can come of engaging with these.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov


More information about the NANOG mailing list