Not every day do I get an email from a very serious security researcher, clearly a man on a mission to save the internet โ one vague, copy-pasted email at a time.
Hereโs the message I received:
From: Peter Hooks
<peterhooks007@gmail.com>
Subject: Security Vulnerability DisclosureHi Team,
Iโve identified security vulnerabilities in your app that may put users at risk. Iโd like to report these responsibly and help ensure they are resolved quickly.
Please advise on your disclosure protocol, or share details if you have a Bug Bounty program in place.
Looking forward to your reply.
Best regards,
Peter Hooks
Right. Letโs unpack this.
๐งฏ”Your App” โ What App?
I’m not a company. I’m not a startup. I’m not even a garage-based stealth tech bro.
I run a personal WordPress blog. Thatโs it.
There is no โapp.โ There are no โusers at riskโ (unless you count me, and Iฬทฬฬโฬทฬฬ mฬดฬฬช ฬดอฬนaฬธฬฝอlฬตฬฟฬฃrฬธฬฝอeฬตฬอaฬถฬอdฬตฬอyฬดฬฬผ ฬดอฬbฬถฬฬ eฬถฬฬปyฬดออoฬธฬฬฃnฬธฬฬฆdฬดฬฬ ฬถออsฬถออ aฬถอฬกvฬดออiฬตฬอnฬตฬอgฬธฬฬก).
๐ต๏ธโโ๏ธ The Anatomy of a Beg Bounty Email
This little email ticks all the classic marks of what the security community affectionately calls a beg bounty โ someone scanning random domains, finding trivial or non-issues, and fishing for a payout.
Want to see how common this is? Check out:
- Troy Huntโs excellent blog post on beg bounties
- Sophosโ warning on random bug bounty emails
- Intigritiโs insights into the latest beg bounty scam
๐ฎ My (Admittedly Snarky) Reply
I couldnโt resist. Hereโs the reply I sent:
Hi Peter,
Thanks for your email and your keen interest in my โappโ โ spoiler alert: there isnโt one. Just a humble personal blog here.
Your message hits all the classic marks of a beg bounty reconnaissance email:
- โ Generic โHi Teamโ greeting โ because who needs names?
- โ Vague claims of โsecurity vulnerabilitiesโ with zero specifics
- โ Polite inquiry about a bug bounty program (spoiler: none here, James)
- โ No proof, no details, just good old-fashioned mystery
- โ Friendly tone crafted to reel in easy targets
- โ Email address proudly featuring โ007โ โ very covert ops of you
Bravo. You almost had me convinced.
Iโll be featuring this charming little interaction in a blog post soon โ starring you, of course. If you ever feel like upgrading from vague templates to actual evidence, Iโm all ears. Until then, happy fishing!
Cheers,
Amedee
๐ข No Reply
Sadly, Peter didnโt write back.
No scathing rebuttal.
No actual vulnerabilities.
No awkward attempt at pivoting.
Just… silence.
#sadface
#crying
#missionfailed
๐ก๏ธ A Note for Fellow Nerds
If youโve got a domain name, no matter how small, thereโs a good chance youโll get emails like this.
Hereโs how to handle them:
- Stay calm โ most of these are low-effort probes.
- Donโt pay โ you owe nothing to random strangers on the internet.
- Donโt panic โ vague threats are just that: vague.
- Do check your stuff occasionally for actual issues.
- Bonus: write a blog post about it and enjoy the catharsis.
For more context on this phenomenon, donโt miss:
๐งต tl;dr
If your โsecurity researcherโ:
- doesnโt say what they found,
- doesnโt mention your actual domain or service,
- asks for a bug bounty up front,
- signs with a Gmail address ending in 007…
โฆitโs probably not the start of a beautiful friendship.
Got a similar email? Want help crafting a reply thatโs equally professional and petty?
Feel free to drop a comment or reach out โ Iโll even throw in a checklist.
Until then: stay patched, stay skeptical, and stay snarky. ๐
Remote Reply
Original Comment URL
Your Profile
Why do I need to enter my profile?
This site is part of the โ open social web, a network of interconnected social platforms (like Mastodon, Pixelfed, Friendica, and others). Unlike centralized social media, your account lives on a platform of your choice, and you can interact with people across different platforms.
By entering your profile, we can send you to your account where you can complete this action.
@amedee these guys are so annoying indeed