SHARED INTEL: Here’s why security analysts need to remain on high alert for fake bug reports

By Zac Amos

In an ideal world, cybersecurity analysts would get legitimate daily reports on improving a company’s security. Unfortunately, the likelihood of being handed unsolicited, untrustworthy advice is high.

Related: Tech giants foster third-party snooping

This is what fake bug reports are all about. Scammers now routinely spray out fake bug reports designed to take advantage of the naiveite and/or lack of vigilance of security analysts in the field.

Scammers will send reports known as bug bounties stating security vulnerabilities in a machine. The fraudster might claim it’s missing security credentials or necessary security software.

These often come as unsolicited phone calls or computer notifications and might sound convincing and well-intentioned, claiming they can solve all the vulnerabilities in the electronics if recipients buy the report.

Compounding risk

These engagements aim to extort money — and in the most severe circumstances with more advanced cybercriminal tactics — infect computers or steal data. Security analysts should be on high alert. Unless it’s someone from within an organization or part of a company’s employed team, a best practice is to second guess any experts claiming they have cybersecurity advice.

What may appear to be a legitimate cybersecurity query, may in fact be designed to flush out and exploit security in the system. Caution is the order of the day.


Fake bug reports can combine with other security threats to compound their impact. For example, they could also implement clickjacking — including false, actionable buttons or links that tempt unaware email recipients to redirect to malicious content.

Falling victim to a bug bounty can prove fatal to an organization’s cybersecurity risk assessment because accepting a deal informs cybercriminals that a company lacks security know-how. Ignorance like this invites subsequent attacks — probably in other forms — to coax more money out of the business.

These scammers are a security threat to honest, ethical hackers. They claim to be white hat hackers, which delegitimizes the services of trained and well-intentioned professionals. Companies undergoing multiple scams could eventually become distrusting of the industry entirely, developing complacency in a holistic cybersecurity strategy.

Best practices

Companies can instill bug bounty programs designed to incentivize independent white hat hackers to discover and responsibly report software vulnerabilities not on their radar. Recently, Salesforce has highlighted the issue, stating it had received over 4,000 bug reports in 2021 — so it’s invested millions in bug bounties.

As due diligence, businesses can seek the help of third parties or secure vulnerability tools to analyze the validity of a bug report. They can also formulate internal procedures for responding to vulnerability notices, such as who to contact in case of discovery and how triage looks. Training should be required to identify red flags so teams can discern between real and fake reports.

A legitimate, factual report will be specific and explain the ramifications of not adhering to the suggestions. The situations mentioned in the report will apply to particular systems in an organization, using precise terminology that aligns with a company’s established infrastructure. Vague language like “vulnerability” and “gap” to explain the issue is a tell the bug bounty is bogus.

Plus, companies can always search for copies of the bug reports online to see if the text looks like templates other businesses have received.

Another best practice is to always run bug bounty solicitations past trusted parties. No matter how knowledgeable or confident the offer sounds, the stranger is just trying to use others to exploit their own tech for a criminal’s gain. Fake bug reports are becoming rampant, and taking measures to stay safe and aware is crucial for personal and professional data.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone