Have you received an email from "ethical hackers" reporting website vulnerabilities and wondering what to do next?
This article will provide guidance and the steps you should take if you receive an email from scammers informing you that you have a vulnerability on your website.
How the scam works
The scammer runs a public, third-party scan tool to identify possible vulnerabilities such as the lack of optional HTTP headers, DMARC records, or the possibility of rate-limiting being enforced.
Often the "vulnerabilities" they detect are not applicable in your hosting environment or don't actually represent a threat at all, but rather the scammer would use this as leverage for payment requests known as a bug bounty.
A bug bounty is common amongst large companies who actively solicit members of the public to test their security. However, in this case, a request to one unsolicited is not legitimate.
If you engage in these emails, the requests usually become more aggressive with threats to disclose the vulnerability publicly.
The steps you should take
Do not engage or reply to these emails, the "threats" they identify are generally not an issue.
The scammers would either point to a vulnerability that doesn't exist (e.g. brute-force attacks) or headers that are optional but missing.
We recommend you do not engage at all with these messages. In our experience, replying presents a greater risk as the scammer will try and coerce you into giving them money.
Simply ignoring these emails is the safest thing to do.
Need further assistance?
If you have any concerns about the security of your servers, please contact the ProStack Support team as soon as possible and we can get this resolved for you. [Get in touch today!]