16:09 <kentonv> someone contacted me to report a "security vulnerability". The vulnerability is that we have a shell script on our server, and shell scripts do all sorts of dangerous stuff! The email says: "Step to reproduce: https://install.sandstorm.io/install.sh" and then contains a screenshot of a browser viewing that URL.

16:09 <kentonv> why

16:13 <ocdtrekkie> It's a Huntr thing innit?

16:15 <TimMc> kentonv: We had someone gravely warn us of the presence of a robots.txt file on our site.

16:16 <TimMc> Oh, by the way, that weird Cookie header thing? I think it's something in the Windows 10 network stack. :-)

16:17 <TimMc> We observed it across a number of user agents and figured it had to be a proxy, but then someone noticed they were all Win 10. Maybe it's malware or AV screwing with stuff.

16:17 <TimMc> The internet is full of wonders.

16:18 <kentonv> oh yeah, shitty AV is totally plausible

16:18 <kentonv> malware also plausible

16:18 <TimMc> They can be... hard to tell apart sometimes.

17:27 <kentonv> ocdtrekkie, no, I get these very-low-quality reports somewhat regularly, from people who are hoping we'll pay them a bug bounty even though we don't have any bug bounty program.

17:28 <kentonv> I replied to the guy to tell him this is working as expected and he asked if he could get a bounty anyway for his efforts. -_-

17:31 <ocdtrekkie> Like even if we didn't have to pay the bounty if we had one, I'd be personally annoyed if anyone got paid a bounty to complain we have an install script hosted on the website so people can use it.

17:32 <ocdtrekkie> Just incentivized poor quality security work.

17:33 <kentonv> yes, I certainly would never pay a bounty for this crap

17:34 <kentonv> the most common report by far is missing DMARC records on sandstorm.io. People report this to me all the time and then ask for a bounty. I'm like "yeah I know, I don't really care enough to do anything about it"

17:36 <kentonv> part of me thinks I should do it just so people stop reporting it and part of me worries that if I do then they'll claim I did it because they reported it and so they deserve a bounty even more

17:36 <kentonv> hell I probably would have set up DMARC records by now if no one had reported it, I just don't want to now out of spite!

17:43 <ocdtrekkie> My theory is that in most cases it's really important to have SPF and DKIM, and if those are working you are probably providing more than adequate information for mail servers to make good decisions.

19:37 <TimMc> Troy Hunt calls these "beg bounties".

19:37 <TimMc> and yeah, endless emails about DMARC