Many of you who have websites might have received an email mentioning that your website has a vulnerability and the ethical hacker is demanding a bug bounty to disclose the issue more or suggest a fix.
In reality, in many cases, this is a scam. The “ethical hacker” would have obtained this information by running a free scan, and in many cases, the vulnerability is not a vulnerability at all. Many times the disclosed vulnerability would be missing headers or something to do with authentication or rate limiting.
Some examples we’ve seen:
- The website does not log you out if you log in from another browser.
- The website does not rate limit you for any specific action.
- Changing the password in a session does not log you out from another session.
The above are not necessarily vulnerabilities and they do depend highly on how your website works and how your platform.
Our suggestion is simple
- Engage your own security team if you are unsure about what is going on, or if unsure if it’s a real claim or not.
- Do not reply to such emails, until you have consulted with an expert.
- Try any one of the free scanners yourself like the below:
- https://sitecheck.sucuri.net/
- https://pentest-tools.com/website-vulnerability-scanning/website-scanner