Security News > 2021 > February > Beware of technical “experts” bombarding you with bug reports
You probably know that many companies these days have a way for bug hunters - some of whom make their living from figuring out out security holes in corporate websites and software - to report problems they've found, and potentially to get paid for their work.
As haphazard as this sounds, bug bounty programmes usually follow a well-structured format, and professional bug hunters work carefully within well-defined limits while they're probing for holes.
At the same time, bug bounty programmes typically have sufficiently well-defined boundaries that they don't offer a casual "Get out of jail free" excuse that could be abused by criminals whose intention is not to help fix problems but to find and exploit them.
One of the sample "Beg bounties" that Chester dissected, for example, tells you that you have a security hole in your website, but backs up the claim with some copied-and-pasted waffle about a security technology that applies to email servers.
If there is any truth in an alleged security hole that a self-proclaimed bounty hunter reported to you, a trustworthy security and penetration testing company should find it and help you to fix it properly.
If the alleged vulnerability is made-up garbage, a trustworthy cybersecurity partner will figure that out too, and stop you wasting money on a 'precaution' that does nothing except to give you a false sense of security.