🎣 The Curious Case of the Beg Bounty Bait — or: Licence to Phish
Not every day do I get an email from a very serious security researcher, clearly a man on a mission to save the internet — one vague, copy-pasted email at a time.
Here’s the message I received:
From: Peter Hooks
<peterhooks007@gmail.com>
Subject: Security Vulnerability DisclosureHi Team,
I’ve identified security vulnerabilities in your app that may put users at risk. I’d like to report these responsibly and help ensure they are resolved quickly.
Please advise on your disclosure protocol, or share details if you have a Bug Bounty program in place.
Looking forward to your reply.
Best regards,
Peter Hooks
Right. Let’s unpack this.
🧯”Your App” — What App?
I’m not a company. I’m not a startup. I’m not even a garage-based stealth tech bro.
I run a personal WordPress blog. That’s it.
There is no “app.” There are no “users at risk” (unless you count me, and I̷̜̓’̷̠̋m̴̪̓ ̴̹́a̸͙̽ḷ̵̿r̸͇̽ë̵͖a̶͖̋ḋ̵͓ŷ̴̼ ̴̖͂b̶̠̋é̶̻ÿ̴͇́ọ̸̒ń̸̦d̴̟̆ ̶͉͒s̶̀ͅa̶̡͗v̴͙͊i̵͖̊n̵͖̆g̸̡̔).
🕵️♂️ The Anatomy of a Beg Bounty Email
This little email ticks all the classic marks of what the security community affectionately calls a beg bounty — someone scanning random domains, finding trivial or non-issues, and fishing for a payout.
Want to see how common this is? Check out:
- Troy Hunt’s excellent blog post on beg bounties
- Sophos’ warning on random bug bounty emails
- Intigriti’s insights into the latest beg bounty scam
📮 My (Admittedly Snarky) Reply
I couldn’t resist. Here’s the reply I sent:
Hi Peter,
Thanks for your email and your keen interest in my “app” — spoiler alert: there isn’t one. Just a humble personal blog here.
Your message hits all the classic marks of a beg bounty reconnaissance email:
- ✅ Generic “Hi Team” greeting — because who needs names?
- ✅ Vague claims of “security vulnerabilities” with zero specifics
- ✅ Polite inquiry about a bug bounty program (spoiler: none here, James)
- ✅ No proof, no details, just good old-fashioned mystery
- ✅ Friendly tone crafted to reel in easy targets
- ✅ Email address proudly featuring “007” — very covert ops of you
Bravo. You almost had me convinced.
I’ll be featuring this charming little interaction in a blog post soon — starring you, of course. If you ever feel like upgrading from vague templates to actual evidence, I’m all ears. Until then, happy fishing!
Cheers,
Amedee
😢 No Reply
Sadly, Peter didn’t write back.
No scathing rebuttal.
No actual vulnerabilities.
No awkward attempt at pivoting.
Just… silence.
#sadface
#crying
#missionfailed
🛡️ A Note for Fellow Nerds
If you’ve got a domain name, no matter how small, there’s a good chance you’ll get emails like this.
Here’s how to handle them:
- Stay calm — most of these are low-effort probes.
- Don’t pay — you owe nothing to random strangers on the internet.
- Don’t panic — vague threats are just that: vague.
- Do check your stuff occasionally for actual issues.
- Bonus: write a blog post about it and enjoy the catharsis.
For more context on this phenomenon, don’t miss:
🧵 tl;dr
If your “security researcher”:
- doesn’t say what they found,
- doesn’t mention your actual domain or service,
- asks for a bug bounty up front,
- signs with a Gmail address ending in 007…
…it’s probably not the start of a beautiful friendship.
Got a similar email? Want help crafting a reply that’s equally professional and petty?
Feel free to drop a comment or reach out — I’ll even throw in a checklist.
Until then: stay patched, stay skeptical, and stay snarky. 😎