Dear "Security Researchers"

Original Article ↗ Hacker News Discussion ↗

Beg-bounty “security research”

  • Many comments share spoofed or real examples of extortion-flavored “bug bounty” emails: trivial findings described as “critical” with threats of public disclosure and inflated dollar values.
  • Reports are often obviously wrong (e.g., flows that don’t exist, “auth bypass” via copying an admin session cookie, reading local DB on rooted phones, missing headers on static sites).
  • This behavior is likened to generic email scams and described as a kind of DoS on whoever must triage the reports.

Automated scanners, AI, and CVE noise

  • People note a surge of low-quality, tool- or AI-generated reports (e.g., SSL/dmarc/header scanners, regex DoS detectors) that label marginal issues as high-severity vulns.
  • This drives “scareware”: every theoretical issue becomes “COULD be exploited,” independent of context or threat model.
  • CVE/CVSS are criticized as easily gamed and often mis-scored, generating npm/audit noise and pressure on maintainers to fix non-issues.
  • Some mention countermeasures like context-aware scanning and mechanisms to mark CVEs as false positives, but note they’re not widely integrated.

Impact on maintainers and system owners

  • Maintainers, especially in OSS, describe burnout: inbox spam, harassment, threats of CVEs, and zero compensation.
  • Low signal-to-noise means legitimate, high-quality reports can be ignored along with the junk.
  • The Debian mirror notice is seen by some as understandable pushback after years of such abuse.

Bug bounties, incentives, and disclosure

  • “Beg bounty hunters” are said to have damaged the reputation of genuine security research.
  • Researchers report being ghosted after responsible disclosure, sometimes even by security companies; others describe threats of lawsuits.
  • Some argue it’s irrational to do unpaid security work without a prior agreement; others do it for interest/civic duty but accept lack of rewards.

Broader views on security and risk

  • Several comments stress the importance of basic security hygiene despite industry dysfunction.
  • There’s debate over how often “the stars align” for real exploits and how to reason about risk vs. noise.
  • One view frames much of the security industry as liability-shifting theatre; another notes that, even so, hiring security firms can still materially harden systems.

Thread-specific notes

  • The ftp.bit.nl operator joins, adds a security.txt, and clarifies the server is intentionally public (with a joke “pr0n” directory) to deter bogus reports.