Ethical or Unethical Hacker?

Yesterday I received an email from Chris Mazzula, clamming to be a ethical hacker, and they found a “bug” in my wordpress website, xmlrpc.php exploit from 2018. Now for reporting this “Bug” to me i got this response,
I think it would be justifiable if your website grant me a reward as a token of appreciation.
Standard reward for this bug as per hackerone bug bounty policy:

When I stated , Well maybe if I had asked you to do this for me I would be happy to pay you, however I am not in the practice of paying random visitors to my website.

Has anyone else had this issue?

1 Like

Sounds like the virtual equivalent of those guys who try to wash your windscreen with a bottle of drain water and a dirty rag at the traffic lights.
Bug bounties are a good thing, but that’s not how they work Chris.

I tend to use a catch all email account for my domains just to see what random address’s get hit. Get some weird emails from dead relatives trying to give me money right through to the cheap boner pills. Have not had one from Chris yet! Look forward to the day :slight_smile:

Well I haven’t heard back from him as yet, I did block the City of Karachi, where he lives from accessing my site, but we all know how that works.

This is a very common issue in the bug bounty scene. Many beginners will submit various “reports” regarding non-severe vulnerabilities in return for a mention on the vendor’s website. It is a way of building clout without actually doing any work.

I would recommend setting up your own policy regarding the permissible scope and your terms of engagement.

1 Like

This guy is a huge tool. I am a little conflicted the vuln he reported was not actually a real vulnerability and he continued to ask for money. The funny thing is I have done a few responsible disclosures my self and it gets extremely shady when you begin to demand. I would not pay this guy at all since it will allow him to continue down this path of entitlement I think its perfectly great to make a single request for compensation but when the answer is no you cross a line.

1 Like

Informative post, I am a newbie here. It’s really helpful for me.