This episode breaks down the rise of “beg bounties” and examines how unsolicited vulnerability claims create confusion, noise, and operational overhead for security teams. Sean Martin and Casey Ellis discuss what organizations can do to prepare, respond, and set clear expectations through structured disclosure policies.
⬥EPISODE NOTES⬥
Understanding Beg Bounties and Their Growing Impact
This episode examines an issue that many organizations have begun to notice, yet often do not know how to interpret. Sean Martin is joined by Casey Ellis, Founder of Bugcrowd and Co-Founder of disclose.io, to break down what a “beg bounty” is, why it is increasing, and how security leaders should think about it in the context of responsible vulnerability handling.
Bug Bounty vs. Beg Bounty
Casey explains the core principles of a traditional bug bounty program. At its core, a bug bounty is a structured engagement in which an organization invites security researchers to identify vulnerabilities and pays rewards based on severity and impact. It is scoped, governed, and linked to an established policy. The process is predictable, defensible, and aligned with responsible disclosure norms.
A beg bounty is something entirely different. It occurs when an unsolicited researcher claims to have found a vulnerability and immediately asks whether the organization offers incentives or rewards. In many cases, the claim is vague or unsupported and is often based on automated scanner output rather than meaningful research. Casey notes that these interactions can feel like unsolicited street windshield washing, where the person provides an unrequested service and then asks for payment.
Why It Matters for CISOs and Security Teams
Security leaders face a difficult challenge. These messages appear serious on the surface, yet most offer no actionable details. Responding to each one triggers incident response workflows, consumes time, and raises unnecessary internal concern. Casey warns that these interactions can create confusion about legality, expectations, and even the risk of extortion.
At the same time, ignoring every inbound message is not a realistic long-term strategy. Some communications may contain legitimate findings from well-intentioned researchers who lack guidance. Casey emphasizes the importance of process, clarity, and policy.
How Organizations Can Prepare
According to Casey, the most effective approach is to establish a clear vulnerability disclosure policy. This becomes a lightning rod for inbound security information. By directing researchers to a defined path, organizations reduce noise, set boundaries, and reinforce safe communication practices.
The episode highlights the need for community norms, internal readiness, and a shared understanding between researchers and defenders. Casey stresses that good-faith researchers should never introduce payment into the first contact. Organizations should likewise be prepared to distinguish between noise and meaningful security input.
This conversation offers valuable context for CISOs, security leaders, and business owners navigating the growing wave of unsolicited bug claims and seeking practical ways to address them.
⬥GUEST⬥
Casey Ellis, Founder and Advisor at Bugcrowd | On LinkedIn: https://www.linkedin.com/in/caseyjohnellis/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥RESOURCES⬥
Inspiring Post: https://www.linkedin.com/posts/caseyjohnellis_im-thinking-we-should-start-charging-bug-activity-7383974061464453120-caEW
Disclose.io: https://disclose.io/
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact
⬥KEYWORDS⬥
cybersecurity, bug bounty, vulnerability disclosure, beg bounty, hacking, researcher, ciso, security teams, risk management, web security, security policy, vulnerability reporting, cyber risk, bugcrowd, discloseio
​[00:00:00]
[00:00:36] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cyber Security here on ITSP Magazine. This is Sean Martin, your host, where if you listen, you know, I get to talk to all kinds of cool people about cool topics and, uh, today is no exception, of course. Mr. Casey Ellis, how are you, my friend?
[00:00:54] Casey Ellis: Doing well, Sean. Good to see you.
[00:00:56] Sean Martin: Good to see you. Um, it's been too long since [00:01:00] we've been on, uh, on
[00:01:01] Casey Ellis: It has been a while. Yeah, absolutely. I was just thinking that.
[00:01:03] Sean Martin: Yeah, it's been been a few days, I think, but, uh, it's always good to see you and, uh, and glad to know you're, you're, uh, well and doing all kinds of things and, uh, yeah, it's a lot of, we're not gonna talk about all the stuff you've been, been up to, but, uh, uh, suffice to say you're on the cutting edge and of, uh, some fun stuff that's happening and, uh, perhaps we'll get a chance to talk about that.
Today we're gonna be looking at beg bounty. Which I had no idea.
[00:01:32] Casey Ellis: stuff.
[00:01:33] Sean Martin: No idea that this thing existed. Um, and, and even more so today, which we'll touch on. Sure. But, uh, uh, before we get into the topic of what the heck, a beg bounty is not a bug bounty. Um, uh, a few words just to kind of reintroduce yourself to, uh, to my audience on redefining cybersecurity.
[00:01:51] Casey Ellis: Yeah, sure. Um, yeah, so my name's Casey Ellis. I am probably best known as the, uh, the founder of Bugcrowd. Uh, I also co-founded a [00:02:00] thing called the Disclose io project. Um, basically I've, I've been involved in orchestrating, you know, hacking the internet at scale for a. 13 years. Uh, and then prior to that I was in solution architecture.
I was a CSO for a period of time and actually kind of cut my teeth into the industry as a pen tester back in the early two thousands. So I've been, I've been around for a while doing this type of thing. Um, but yeah, the last season, uh, has been very much focused on, you know. Basically building and equipping the security research in the hacker community to be a part of the fight on, on behalf of defenders.
That was kind of the origin, you know, bug, bug crowd didn't invent bug bounty or v disclosure programs. But we did pioneer this idea of building out a platform to basically connect, you know, all of the talent and all the potential that's available on the, uh, on the, you know, the good faith hacker side of things with all of the problems that we're trying to kind of outsmart a crowd of adversaries around, uh, on the, on the defender side.
That's a bit of my background. And yeah, just in terms of, you know, the other side [00:03:00] bit, I did have a, uh, a bit of an unexpected career break midway through last year. Had to have, uh, heart surgery for a, a genetic issue that kind of popped up. Um, so that's, uh, that, that caused me to step back for a period of time.
But, um, you know, as you mentioned, I'm sort of getting back into the game at the moment and having fun doing it.
[00:03:17] Sean Martin: Yeah, I'm, uh, I'm, I'm so, so glad that, uh, that you are and that we're here, my friend, and, um,
[00:03:24] Casey Ellis: Me too,
[00:03:25] Sean Martin: yeah. Yeah, absolutely. So I, you mentioned disclose.io and I'll, you and I, and I can't remember who else was with us, was it, uh.
[00:03:34] Casey Ellis: Chloe, maybe. Yeah, it would've been.
[00:03:36] Sean Martin: Yeah. Um, so we, it's been a few years since we, we had that conversation.
I can't imagine a tremendous amount of has changed, but, uh, I'll link to that episode 'cause I think it's important for folks to, to know what disclose I is and
[00:03:49] Casey Ellis: absolutely.
[00:03:50] Sean Martin: look it up right now, disclose I.
[00:03:51] Casey Ellis: short, short, short, short version of that is that, um, you know, there has definitely been a bunch of like legislative changes that have [00:04:00] happened kind of really around the world at this point. Um, kind of reflecting the fact that like a hacker is not necessarily, you know, when we started Bug crowd back in like 2012, the problem that we had to solve was to basically explain to the internet that hackers aren't always bad.
Like hacking is this like powerful kind of dual use, morally agnostic skillset that you can use for bad things. But you know, then you've got people like me that enjoy thinking like a criminal, but don't wanna be one. Right? So how do we, how do we kind of establish that idea, but then also how do we, um, see some of the laws that were written?
With this sort of default bad mindset, um, changed to reflect, you know, the way that things are. So, you know, disclose is really focused on, on driving standardization and, and adoption of vulnerability disclosure programs and then actually using the adoption of those programs to basically create leverage, um, at the, at the policy level to see the laws change.
And that's been a fun ride.
[00:04:59] Sean Martin: Yeah, [00:05:00] so, so good, so important. And, uh, yeah, I encourage everybody to go to go take a look at that and if, if, if we need to have another chat, we can, we can certainly dig into
[00:05:09] Casey Ellis: We can come back to that one.
[00:05:10] Sean Martin: Yeah, exactly. So. Bug bounty. Just to, I'm sure a lot of people know what it is, but, uh, let's just not beg bug
[00:05:20] Casey Ellis: Bug. Bug. Not.
[00:05:22] Sean Martin: describe that, uh, in the context of my audience.
CISOs, security leaders,
[00:05:29] Casey Ellis: Yeah, certainly.
[00:05:30] Sean Martin: Yeah.
[00:05:31] Casey Ellis: So, a, a a a bug bounty is effectively a reward that's offered for someone to discover, you know, a vulnerability, um, or a risk like basically, you know, the ability to exploit a. Any given system or, or any given company. Um, so, you know, really like the, the traditional kind of rules of it, um, that, you know, as I said, kind of predate, Bugcrowd, go back to probably 1995, I think was one of the first ones in
[00:05:57] Sean Martin: Was it? Was it
[00:05:57] Casey Ellis: Netscape it was Netscape back in the day.
[00:06:00] Yeah. And there's variations of it that go way further back than that. But, you know, you think about boundaries in the old West and that kind of concept of. You know, a reward being used to reduce information asymmetry or to encourage people to look for a thing. It's that, except for vulnerabilities and risks in, in computer systems.
So yeah, the idea is that, you know, the first person to find a unique issue that's within the scope of an established program that's been set out, um, gets a reward for, for that. And then kind of the general idea is that the more critical, the more severe the issue, they find the, uh, the greater the reward.
Yeah, the idea, I mean, that, that was kind of the core concept that we, that we used to kick bug grad off. 'cause it's like this is, you know, the public version of that's very chaotic. You just kind of throw it out to the internet and, and not every organization's in a position where they can or should do that, but this, but.
Sort of overarching concept of, well, we're crowdsourcing now we're actually able to get, you know, a, a broader set of eyes on [00:07:00] target. We can kind of start to figure out who the right people are and connect them in and get better efficiency out of, out of what we're paying for in pen testing and different things like that.
That was kind of the origin of the idea for bug crowd. So yeah, that's what a bug bounty is. It's basically paying for a vulnerability, um, or offering a reward specifically for a vulnerability, and then paying someone when they find it.
[00:07:17] Sean Martin: Yeah. And so I, I think, uh, funny enough, I just crossed my, uh, crossed my feed this morning, uh, on, on the news. Now the news is old. It's like old, old meaning October 10th, so nearly a month old. But Apple announced a $2 million bug bounty, just as an
[00:07:34] Casey Ellis: Yeah.
[00:07:35] Sean Martin: Um, looking for the most serious, uh, uh, weaknesses that obviously they, they wanna find before criminals do.
[00:07:42] Casey Ellis: Yeah. Yeah. And I mean, in Apple's case, you've got, you've got vendors that, that do that, um, that have like a competitive. Uh, basically malicious like offensive market for, for, for those vulnerabilities, right. So it's, it's not, you know, some, [00:08:00] some of those markets are in the west, so it's not necessarily fair to say they're blackout or white hat or whatever else.
But the idea of folks that buy those vulnerabilities for the purpose of using them kind of in anger, so to speak, you know, Apple's been dealing with that for a really long time. 'cause handsets are an attractive target for. You know, the intelligence community and, and whoever else. We're at a point now with, with things like, um, initial access brokers and, and kind of the rise of.
You know, the, the kind of cyber criminal ecosystem, ransomware as a service operators, all that kind of stuff where, you know, most vulnerabilities that are exploitable and that's a big caveat there. Um, do have some sort of value attached to them. Like the idea of a bug bounty program, I think in 2025, is creating an incentive to get that information to where you can do something about it instead of having it go off somewhere else.
[00:08:49] Sean Martin: Yeah. Yep. And, uh, yeah, I don't know how many, what the stats are, but, uh, I know a lot of the large organizations either run their own or, or use a platform[00:09:00]
[00:09:00] Casey Ellis: Yeah.
[00:09:00] Sean Martin: built. Um, yeah, I think the, the interaction and the ability to scale, you mentioned scale already is important and. So with that in mind, I, I saw the reason we connected again is I saw a post from you that was a comment post from, uh, Eric,
[00:09:18] Casey Ellis: Yep.
[00:09:19] Sean Martin: who, uh.
[00:09:20] Casey Ellis: He's a good friend, by the way. I know it was a snarky response to that post, but Eric and I have a long history of robust conversations that are like
[00:09:28] Sean Martin: I'm, I'm, I'm hoping to connect with him as well. Um, so the, the, the term beg bounty came up and I was like, is this a play on words? And then I, you read the, you read the thread and it's like, no, this is actually a thing.
[00:09:42] Casey Ellis: It's a real thing. Yeah, a
[00:09:43] Sean Martin: so, uh, so what, what is a beg bounty?
[00:09:46] Casey Ellis: Yeah. So I mean, if you, if you go back, if you go back in time to when we first kicked things off, you know, the, the big, the big shift that happened there was like this existing vulnerability research community [00:10:00] that were out there doing their thing. You know, as I mentioned, there was like legal considerations around like, are we gonna get, you know, a, c and d or are we gonna get our door kicked in because we're trying to be helpful here, but what we're doing looks like it's illegal.
Um, and then the other side of it was like, I think the work and the value of the things being discovered didn't really have a value attached to it. So you had this, this kind of core group of, of vulnerability researchers across all sorts of different domains like web, hardware, you know, binary, like all of it.
Um. Kind of not really getting a fair shake at at, at, you know, being in a position where they could actually help solve the problem. We came along and then, you know, a couple of other platforms kind of launched shortly after we did, and then there was a second wave probably two years later. And all the while that this is happening, there's this.
Kind of second generation community, just swelling around it. Like the, it was very much a, um, it was an [00:11:00] interesting season just for the cybersecurity industry in general. 'cause I think kind of everyone woke up to the fact that this could be a career path all at the same time. So, so you had all sorts of different folk come in.
You had people that came in that, you know, are like a 10 outta 10 for enthusiasm, but maybe a two or three outta 10 for, for like actual. You know, usefulness and effectiveness. Um, and then you get people that come in that are just savants and you've gotta figure out how to, you know, connect them up with, um, the right opportunities and sort of have them mature in their career and how they, how they apply it, right?
So, you know, that sort of influx of folk. Learning vulnerability discovery for the first time, like not necessarily having just sort of stumbled into it as hackers that suddenly realized what they were doing was valuable, which is kind of where my generation mostly started off. Um, they were deliberately engaging it as a potential career path, right.
So that's sort of the, the backstory in terms of the players in the mix and like, it went from being a fairly small group to being enormous. Um, the thing that [00:12:00] happened, or the, the thing that started to happen is, you know, if you've got this. This set of rules or this expectation of norms that are out there on the internet that if I find a bug, I get paid for it.
Or if people come in and they, they don't have the full context and they just kind of assume that's what bug banty is and how it works or whatever else it might be, um, you end up with folks that are kind of like, when you pull up at a, at an intersection and someone jumps out with like the, the washer wiper thing, just kind of does, does the window and then asks you for money afterwards.
Right. And, um, that's basically what gets referred to as beg bounty. So, so you get people to come in and like, sometimes they're finding things like, I think it's the minority of times, they're actually finding things that are important that should be done for the better part. They're just sort of opportunistically saying, Hey, you've got like a missing HSTS header, or like you've got a weird certificate, or you've got some sort of benign, like the priority five issue.
Um, do you have a v [00:13:00] Do you have a bug bounty program and can you pay me for it? Uh, that's, that's effectively what a big bounty is.
[00:13:07] Sean Martin: I, I, I love the, uh, the wind, the window washer analogy. Yeah. 'cause I.
[00:13:12] Casey Ellis: it's, it's, it's a bit brutal, but it's completely accurate.
[00:13:16] Sean Martin: Because I, as you were describing it, uh, the first part of it, at least, um, I was thinking, um, instead of people going to hack the box, they're just going to somebody's web, website or web app and, and practicing there. Right. And if they find something, yeah. Let me see if I can, instead of getting points and hack the box, I get maybe some money.
[00:13:37] Casey Ellis: Yeah. Yeah. And, and the, the problem, the problem picks up when. You end up in, because like, there's been examples of this, like the Uber, the Uber case was like this. Um, and then when you look at, um, what happened with Optus in Australia when, when that breach happened, similar sort of thing, they, they went in.
These are [00:14:00] like young, young hackers that aren't necessarily thinking through, you know, no, you need to be offered this reward first if you like, find a thing and then contact the company and ask for money in exchange for, for information that could be used to harm that company. Like in most parts of the world, that's extortion and it's actually a really kind of a dangerous thing to do.
Um, yeah, and those are in the, those are in the kind of cases where there's been an actual like. Pretty serious breach of data or whatever else. Like for the better part, what we see is, is kind of what I was just describing. It's like, Hey sir, I've, you know, I've found this like critical issue. Um, do you have a bug bounty program?
If you do, I'll tell you and you can pay me some money for it. And generally it's lame. Like it's, it's garbage. Like it's, um. It's either made up or it's like they've run kind of a web app scanner and, and taken the output of that, and then just, they're just kind of firing it off opportunistically to see if they can get some money outta people.
Um, that last version, uh, that's the version that I was kind of talking about in this LinkedIn post [00:15:00] because I, I think the community, like the vulnerability research in the bug bounty community, um, there are some. Kind of established norms around, you know, how to conduct yourself in a way that keeps the entire community safe.
If that makes sense. Because like if we end up establishing a reputation as a, as a research community overall, um, that this is the kind of thing that we do, you know, the actions of a few end.
[00:15:30] Sean Martin: Right.
[00:15:30] Casey Ellis: Tarnishing the entire community. And I actually think that like internal community policing and some degree of call out culture is actually pretty appropriate for stuff like this.
'cause it's like, no, that's wrong. Stop doing it. Um, and if people don't stop doing it, then like, frankly beat up on 'em a little and, and like let them know that they're, they're being jerks and actually poisoning the well for everyone else. So that was, that was kind of the origin of the rant on, on, on LinkedIn that, uh, prompted this conversation.
[00:15:58] Sean Martin: Yeah, and I was, I was trying to [00:16:00] scroll through some of the stuff here and, and, um, or a few comments and what, what are your, the, the feedback that came in through, through that thread? Is there anything that stands out for you yeah, it just says we we're, we're in trouble or.
[00:16:18] Casey Ellis: Um, look, I, I don't, I think I. We are lacking. I mean, we're always in trouble, right? Like vulnerability discovery is just. Difficult, full stop. And it's necessary. It's important, I think, being able to understand where your risk is up to so you can do something about it. You know, any kind of self-respecting CISO has that as a part of their core job function, and this is one of the ways that you, you get that kind of information.
Um, I think the thing that's unique about it, and the thing that's actually valuable about it is that you're getting that information from the outside in a way that has no. Like institutional blinders on, right? Like, you don't, you, you're not constrained by, you know, [00:17:00] institutional knowledge or like wherever the tooling's up to or any of that other stuff.
It's just someone who's like looking at a thing with a fresh set of eyes and thinking about it in a completely different way and identifying a risk, right? Um, you can't suddenly just decide to listen to the entire internet all at once 'cause we'll go deaf. So like, somewhere between those two ideas, like there's truth and there's the way to approach it.
Um. You know, I do think that, uh, that, um, yeah, there, there is a, like, it does come out like that tendency to, to, to sort of tar everyone who's doing vul research with, with the brush of. The, the beg, bunty, beg bounty hunters are the ones that are kind of misbehaving acting against the interests of the community.
So like that definitely pops out. I think the idea of like charging people like Eric's idea and he wasn't being serious about it, he was just kind of throwing it out as they're like, this is really annoying. Um, but I did see a few people kind of taking it semis seriously. And I'm like, well, that's. I understand the [00:18:00] economics of what he's trying to suggest here, and like that's part of the joke in some ways.
But seeing people actually properly take that on, it's like it's not fair in any stretch of the imagination to charge people to try to help you. Um, and it's the people that are genuinely doing that. That would be the ones that would actually be. Basically deterred by this, right? So you've still got the big boun bounty hunters and the folks that are trying to game the system and just sort of opportunistically get cash.
They'll do that. 'cause that's just what they're doing. Right? Whereas the folk that are actually trying to help for real are gonna be kind of turned away by that, which is a bad outcome.
[00:18:35] Sean Martin: I'll, I'll, I'll paint this with probably a horrific analogy. Not, not that I
[00:18:41] Casey Ellis: go.
[00:18:41] Sean Martin: but, uh, I'll do it anyway. Um, personal shoppers, right?
[00:18:46] Casey Ellis: Right.
[00:18:47] Sean Martin: People who had money needed a service, they could go and find somebody to help them buy their food, their clothes, whatever. Um. And, and then we have the, [00:19:00] the gig economy, right?
Where platforms are built to give people a place to do that. Now, there's some restrictions. Now, I'm not saying that the bug bounty is necessarily along this line, but maybe the scope, maybe the scope of, of a bug bounty program might put restrictions on what people can look at, not look at. And so bringing it back to the gig economy, I know there are some.
Some stores here in New York that you can't shop at those stores through any apps. You actually have to go in, they don't even offer,
[00:19:33] Casey Ellis: Right. Yeah.
[00:19:34] Sean Martin: a thing. You have to go into the store and buy unless you get full circle, a personal shopper to do it for you outside of,
[00:19:42] Casey Ellis: Right, right.
[00:19:43] Sean Martin: of the app. So I'm just wondering if,
[00:19:46] Casey Ellis: Yeah,
[00:19:46] Sean Martin: and I know what you painted earlier,
[00:19:48] Casey Ellis: I get where you're going with that. Yeah, yeah,
[00:19:49] Sean Martin: there are people that. Aren't up to snuff and they can't actually get on a platform in a way. But I'm just wondering if, but they're, you're also describing, [00:20:00] or perhaps what Eric was maybe alluding to is that there may be legitimate people that
[00:20:06] Casey Ellis: yeah,
[00:20:07] Sean Martin: may, may have the goods to do good things, don't wanna work for a firm, don't wanna be on a platform, and they just wanna be independent contractors.
Right. And so I, I'm just wondering, does this mix and, and what do we, how do we make sense of that?
[00:20:25] Casey Ellis: it's a really like, it's a really interesting. Kind of what you're framing up there is a, is a problem and a set of tensions on the system at this point that keeps me up at night on, on a regular basis. 'cause, you know, some of these things I could kind of see them coming. It's like, how do we, and it's honestly part of why, why, um, we did disclose our basically separately as a 5 0 1 C3.
With other folk into it. 'cause it's like, from my perspective, every organization should have the ability to receive security input from the outside. And as a part [00:21:00] of that, like actually clearly stating like, the easiest way to to mitigate this is you, you stand up a, a vulnerability disclosure policy and say that we don't pay.
Boom. So like when you get these kind of inbounds, you say like, here's the link to the thing. You didn't read the thing. Um. If you wanna tell me what you found, fine. If you don't, fine. We're done. Right. Um, and that, that actually works really well. So like, I think that that's, that's, you know, that's just a personal belief in terms of like internet transparency and really just the nature of how the internet works.
Like when you're talking about scope, you know, you can't tell the internet not to do a thing 'cause it just. That's not how this works, right? It, it's like the, the analogy, the metaphor I use all the time is it's kind of like walking outside if there's a thunderstorm coming and yelling at it and ask, like telling it not to hit your house with lightning.
Um, it's like, that's not how this works. So, so.
[00:21:55] Sean Martin: celebrating when it doesn't, just because.
[00:21:57] Casey Ellis: Yeah, yeah, yeah. And say, look at that. It [00:22:00] worked. Our, our policy, our scope restriction meant that we didn't get hacked in the things that were outta scope hooray. For us, it's like that's not what's actually happening. Um, so, you know, what do you do instead? You put up, like, you anticipate the fact that that can and will happen at some point in time.
You put up a lightning rod for, for things to come to, and then you route. That, that lightning strike around damage and get it to a place that you can deal with it. Like, I, I love that as a metaphor. 'cause it, to me that's sort of the overall physics of what we're working with here. Right. Um, in terms of the, the, the, the good folk.
If, if that makes sense. Like that's a lot of what Bugcrowd kind of built out. So we, we do these public programs, public v dps and public bugman programs. But then a part of why we're doing that is to. Bring people onto the platform so we can understand like how skilled are they, like to what degree can we trust them, all those different things.
And then we'll run private programs where we're basically just inviting the folks that are a match into that. So it's like some organizations need [00:23:00] that, some are, are comfortable with the public thing. That's a version of, of the, I guess the, the secret shopper or the, you know, the private shopper thing that you were just talking about.
I think the challenge with that is that it doesn't solve the overall. Community problem that, that, that we're talking about here. Like, it, it's, that's great in terms of like figuring out how to drink from the fire hose of talent and, and get it on target. Like that's, it's doing that and it's great at that, but this whole idea of someone just coming in and saying.
You know, stuff that could potentially make it harder for all of us. It doesn't really address that part. So this is where, this is where I was kind of coming up and saying like, this idea of, basically it's, it's been all about the carrot to this point. So like, where's the stick? Is there, is there, you know, this sort of call out thing that, that Eric did with this particular individual.
Um, I think that that's actually an appropriate thing if you've got someone who's like a repeat offender or they're really causing an issue for the broader community, it's like. Stop it and like if they're not doing it, it's like, okay, we need to point this person out and make sure [00:24:00] that people know that we're aware that they're causing a problem and kind of distance the representation of what they're doing from, from the broader hurt.
I actually think that that's a positive thing, to be quite honest. It, it sounds nasty or, or whatever, but I do think it's important to do that type of thing when it's necessary.
[00:24:17] Sean Martin: yeah. And I think there was a bit of that. Uh, when. I don't see it as much anymore, but disclosure is without, again, disclose, IO disclosure is without private disclosure first. Right? So there, there's an ethical way of handling what you find.
[00:24:33] Casey Ellis: Yeah. Yeah. I mean that it, we, we, we we're flirting
[00:24:36] Sean Martin: it's hard. I remember finding
[00:24:37] Casey Ellis: debate there.
[00:24:38] Sean Martin: not, not even as a researcher, finding something and, and, and I see it on online still, I guess to some degree, but not a lot, where you find something and you just, you post and you mention some, the company on, on X or whatever, and say, I found this issue and maybe it's in good faith, but everybody can see that, and then off they go and
[00:24:58] Casey Ellis: Yeah, off they go and [00:25:00] go off and look for it. Yeah, I mean, we're getting into the responsible disclosure debate a little bit there, and it's that one's, that one's fun there. There's actually some stuff that we're working on that we're gonna publish on disclosure around. Like norms, like here are the things that, you know, here's best practice for, for researchers.
Here's best practice for organizations. Part of the best practice for organizations is to, you know, help them realize that like sometimes folk just post it on Twitter 'cause they don't know any better. Or sometimes, like they're just kind of being jerks. That that does happen every now and then. Right. But for the better part, it's because, um, everything else has failed.
Like they're, they're, they're trying
[00:25:39] Sean Martin: no response.
[00:25:40] Casey Ellis: they've got, they've got no response. They like, they're genuinely concerned about the risk being created by this issue. And at that point, the only way to alert people that might be affected by it, but also get the attention of the vendor is to, is to drop ode basically.
Um, that's like. You know, it, it's like hating that is like hating death and taxes. [00:26:00] Do you know what I mean? And like, I, I don't like when that happens. 'cause to me that increases the overall risk to the internet. It's a, it's a bad, it's a bad scene, but at the same time, like it's avoidable. And if, if things aren't done to avoid it, then you end up in that position.
So I just, I think kind of framing it up and thinking it of it in that way is, is useful.
[00:26:20] Sean Martin: yeah. And I remember, I wanna say maybe you, you. It corrected me. I used to joke that everybody was running a public bug bounty, whether they knew it or not. And I, I think, I think I recall maybe you saying that it's not really true, but maybe if I change it to beg bounty and there we go.
[00:26:42] Casey Ellis: Yeah. Yeah. I mean, you know, every, everyone's running, I think everyone's running a, a, a, you know, 24 7 pen test without necessarily getting the report. Like that's a, that's, that's absolutely a thing. Um, this big bounty component. You know, the thing, the thing that makes it difficult on the [00:27:00] receiving side is that, you know, for, for organizations.
I mean, for organizations that have an established kind of incident response process, like every time this comes in, they have to kick that process off, which has a cost associated with it. So like that's annoying. And then downstream of that, you know, for folks that are smaller, like I get these on the DISCLOSE website 'cause there's a, you know, there's a SSL Cipher that could be like configured differently.
All this other stuff, like every time that comes in, I've gotta look at it and think about like, is this relevant or not? Um, you know, I'm kind of used to that, but if, you know, thinking about it from through the lens of someone kind of experiencing it for the first time, like it's scary. It's like, is this hacker gonna, like, am I getting shaken down here?
Is this like, are they up on my systems, blah, blah, blah. Like, that can trigger all sorts of, like, fight or flight stuff on the recipient side. And it's just, you know, it's a, it's a bad scene. So it's like, how do we do better, I guess is where it comes back to.
[00:27:55] Sean Martin: Yeah, well, funny enough, and that, I don't know if it's coincidence or, I [00:28:00] mean, I did, I did share with folks a couple weeks back that we were gonna have this, this talk. Um, but today,
[00:28:07] Casey Ellis: That might have attracted her. Apologies if If it did.
[00:28:10] Sean Martin: uh, I did it myself. But today I got a message, an email. Hello. I'm a security researcher. I think I found something. I'd like to see if you have a bug bunny program to, uh, and I'm, yeah, well, we can discuss whether it's appropriate to share that or not, but, uh, a screenshot of that, but so clearly.
Even me. I mean, our website is literally a blog. I mean, we have a few pages and then blogs and we embed podcasts, uh, frames. It's not much to what we're doing, so I'm not too concerned. But it did, to your point, it made me pause and go, Hmm, what, what could, what could be there that could put me in jeopardy?
That I don't know. And
[00:28:52] Casey Ellis: Like to me, those, to me, those ones are the worst. Like the where, where it's like, do you have a bug bty [00:29:00] program? Can you give me money? If you can, I'll tell you the thing that I've found. 'cause like you've got, for starters, like technically that's extortion. 'cause you're asking for money attached to an, to what could be easily kind of perceived as a threat.
Right? Um, and then for seconds, like there's no. There's no value. Like you could just like auto generate those emails and send them out everywhere and just see what came back without having done any kind of research or, or, or providing any sort of help. So it's just like that sort of thing is, you know, I think, I think the big thing there, um, you know, in terms of a response, like I said before, proactively putting a policy up that says, if you find something, if you think you've found something, send it here.
Here's what we'll do. No, we do not offer a reward. Um, if that's how you want to play it, then like. Being proactive about that, I think is like the easiest way to go. 'cause then you can just point to that thing. But then outside of it, just responding and saying, no, we don't. Um, if you wanna tell us, fine. If not, that's fine too.
[00:29:58] Sean Martin: Yeah.
[00:29:59] Casey Ellis: Have a nice day. [00:30:00] Yeah,
[00:30:01] Sean Martin: And so my, my initial thought is, and maybe we can kind of frame this for security leaders and CISOs listening, um, uh, I don't know. I'm sure people in the company get it who don't even know what to think of it. Um, so good, good answer or good, good. Some good insights there and some advice there.
But my, my initial thought was don't even engage. And I don't know if that's an appropriate response.
[00:30:26] Casey Ellis: I, I think it is. Yeah, actually I think that's a better res, like if you treat it as, as like an inbound piece of spam, um.
[00:30:38] Sean Martin: That's where it ended up. Funny enough.
[00:30:39] Casey Ellis: Yeah. Yeah. You know, and, and the caveat there, I'm, I'm trying to be careful with this one because there's, there's so many different ways this can kind of come in and, and some of them, as I mentioned before, will be valid.
Um, and, and, you know, potentially actionable. So it's, it's like, what I don't wanna say here is just route it all to Dev noll and throw the baby out with [00:31:00] the bath water. Um, but yeah, like treating stuff like that where it's just. I found something. Do you have a bug bounty program? Let me know. And there's no additional information outside of that.
Then treat it like, you know, you've got unpaid toll fines or, you know, we're calling about your car insurance.
[00:31:22] Sean Martin: Yes. Uh, so as I'm sitting here, I'm, I'm just thinking, wouldn't it be nice if disclose io had a place I could forward that message to and
[00:31:32] Casey Ellis: Yeah. Yeah. No, it's, it's, it's an interesting, I mean, yeah, that, that whole idea of like the anti Hall of Fame, um. That's actually a fun idea as a catchall to be able to build out, you know, a a list of offenders kind of doing this type of thing. But, uh, yeah, it's, it's, it's, it's a fun one. I think, you know, just, just the ability to, to me, like what we're working on at the moment and getting out shortly is, is, you know, this whole idea of like, don't do that.
Like if you are [00:32:00] as a researcher, if you've found something that you legitimately believe to be important. Um, that's like creating risk for the customer and their users and, and you think is something that they need to know about and that they need to fix. Like the number one piece of advice there is like, never ask for money in, in the initial interaction.
Just don't do it because like they haven't, that hasn't been offered. You know, that's not the deal that you are, you're kind of working under at that point in time. Um. And you know, the main reason for that is that it's, it's gonna actually help you get your message across because it won't be confused with extortion.
Like you won't get, you know, legal and all the other folk involved because of the, the financial kind of implication that you brought into it. You, you'll just get to talk about the bug and sometimes if it's good and there's a really good interaction, all those different things, like you can. End up in a position where you get offered a consulting arrangement or some sort of other thing on the backend.
Like that is the thing that happens [00:33:00] occasionally. But to go in and say, Hey, I'll help you if you tell me that you'll pay me. Like that's, it's not how it works in the real world. It's not how it should work here. Yeah.
[00:33:09] Sean Martin: Yeah, yeah, yeah. And even if it, this one doesn't exactly say pay, it
[00:33:15] Casey Ellis: Yeah. Bug bounty. Bug bounty implies it pretty strongly though,
[00:33:18] Sean Martin: It, it says, do you have any, do you have any rewards or incentives? Eh, yeah.
[00:33:21] Casey Ellis: There you go.
[00:33:22] Sean Martin: There you go. I'm gonna, yeah. Get paid in a t-shirt. I think somebody, somebody, uh, who owns the domain says, I gotta pay the t-shirt.
[00:33:29] Casey Ellis: It's, it's, it's a de it's a delicate thing. I know, I know we're hitting up on time here a little bit as well, but like, it is a delicate thing and, and I'm sure like. You know, of, of all of the stuff I've kind of run through as, as like mental models and ways to think about it in our conversation, there's gonna be edge cases to that, that I'll get yelled at about at some point because that's, it is sort of how this works.
Like there's a lot, like we're talking about, we're talking about bugs that aren't meant to be there in the first place, and people that you can't anticipate discovering [00:34:00] them, discovering them. So the fact that like. All of this is a product of unintended consequence. Um, the fact that it gets weird sometimes, like that should just be par of the course.
It's, it's more like, how do you establish sane baselines and kind of, you know, clear guardrails around standardized process and different things like that. And then just try to stick to that as best you can.
[00:34:19] Sean Martin: Yep. Uh, I think that's the, the best advice. And I think, uh, probably across the board for most things, securities understand what the unknown might look like and have a process in place to deal with that and deal with the unknowns that come in the middle of it as you, as you're responding.
[00:34:36] Casey Ellis: it's all about 80 20. Like it's, it's gotta be, otherwise you spend all your time in the 20 and you get nothing done.
[00:34:42] Sean Martin: Yeah, exactly. Uh, Casey. Good, good to chat with you, my friend.
[00:34:47] Casey Ellis: Yeah. Very cool to catch up, man. Appreciate it.
[00:34:49] Sean Martin: It's fun, fun to fun to talk about this topic and, and learn something new. And I'm gonna say, I'll, I'll point folks to, again, to disclose that IO and, um, if you want, if there are other [00:35:00] resources you wanna share that are openly available, um, I'll throw those links in the notes for folks as well.
Of course, of course, folks. Can, uh, catch up with you directly, I would imagine.
[00:35:10] Casey Ellis: Yep. Absolutely. Absolutely. Yeah, I'm, I'm on all of the things, so
[00:35:14] Sean Martin: All the things. Exactly. And, uh, yeah. So, uh, thank, thanks for this and everybody listening and watching. Thanks for joining me here on another Redefining Cybersecurity where hopefully we, uh, can learn from each other, uh, how best to, uh, prepare for some of the these things and, uh, have a good response.
The ultimate goal is to, uh, help the business safely generate revenue and protect that revenue. Once, uh, once it's generated, and, uh, cyber's a big part of that. So thanks, Casey. Thanks everybody. Catch you on the next episode.
[00:35:49] Casey Ellis: Thanks all.
​[00:36:00]