I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"
I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".
I have a pre-written reply for these kinds of messages now.
Yeah, the signal to noise ratio on vulnerability reports is very weak, especially when the initial report withholds any detail.
I get tons of these messages too and the ones that do include details are the kind of junk you get from free "website vulnerability scanners" that are a bunch of garbage that means nothing -- "missing headers" for things I didn't set on purpose, "information disclosure vulnerabilities" for things that are intentionally there, etc... You can put google.com into these things and get dozens of results.
I run bug bounty for a fairly large OSS project and the amount of shitty/bad actor spam/beg bounties etc we get is huge. Like 95% of the emails to security@ are straight garbage
From the looks of it, they actually asked for a way to report.
email security@company
Sure that is perhaps a good way to inquire about the appropriate channels to disclose a security vulnerability, but email is not a secure communication method for sending the details about a security vulnerability
It's kind of insane to think that the state of email encryption is still so bad in The Future Year 2026.
No flying cars? Okay. Nobody traveled much beyond the orbit of the Moon? Dang. But email? We didn't even get reliable privacy separate from identity?
> Nobody traveled much beyond the orbit of the Moon?
Oh, don't think that outer space will let you escape the misery of email:
> "I have two Microsoft Outlooks and neither one is working": Artemis II astronauts
start there and handle everything once you get in contact with appropriate people
Yeah. I'm just saying how it could have been overlooked. Doesn't excuse it, though.