Beg Bounties: The Scam That Almost Sounds Helpful

July 28, 2025/Danielle Iera
beg bounties
Subscribe on LinkedIn

You get an email. It’s long. It’s detailed. It looks…oddly helpful.

The sender says they’ve discovered a critical vulnerability in your website or email setup. They use your domain name repeatedly. They drop some DNS terms. Maybe even screenshots. And then (surprise?) they end with something like:

“I believe I deserve to be compensated for bringing this to your attention.”

Cut the shit, and cue the red flags. That is a beg bounty.

Wait, this is a thing?

Yes. And it’s been happening for quite awhile now.

Troy Hunt, a respected security expert, Microsoft Regional Director, and the founder of Have I Been Pwned, coined the term “beg bounty” in this post, where he details an email he received from someone claiming a “severe vulnerability” on his site. Spoiler alert: it was complete fluff.

How Beg Bounties Work

Here’s the play-by-play:

  1. They find your public email address (likely from WHOIS records or your site).

  2. They run generic tools like MxToolbox or Security Headers.

  3. They send a long-winded email listing common or already-resolved “issues.”

  4. They say they’re helping you, but really just want to invoice you for breathing.

Sometimes, they’ll say things like:

  • “You are missing security headers.”

  • “Your DMARC record is not set to reject.”

  • “Spoofing is possible.”

Sometimes these are true. Sometimes they’re not. Either way, it’s not a billable event.

Red Flags to Watch For

  • They use alarmist language and vague threats

  • The email is unsolicited and not part of a bug bounty* program

  • Their “discovery” is based on public information

  • They end the message with a request for payment or future compensation

  • They offer to “help fix it” for a fee (aka, upsell a problem they invented)

*A real bug bounty is a legit program (usually run by big companies or platforms like HackerOne or Bugcrowd) where ethical hackers get paid to find actual security flaws and report them properly.

What You Should Do

  • Forward the email to your web developer or security provider

  • Use a legitimate tool like SecurityHeaders.com or HaveIBeenPwned.com for awareness—but not panic

  • Do not send money to random people who think they’re entitled to it just for running a public scan

  • If you want to be proactive, ask your dev team for a security audit on your own terms

Basically, Don’t Pay People to Waste Your Time

Beg bounties aren’t real vulnerability disclosures. They’re digital guilt trips, dressed in a suit and trying to invoice you.

If someone really did find a security hole in your site? They’d likely follow a responsible disclosure process, not drop into your inbox with an email that starts with “Dear Sir.”

So next time you get a long scary email with DNS buzzwords and a request for cash? Just forward it to us.

We’ll be happy to reply with something like:

“Thank you for your concern. We also believe we deserve money, for having to read this.”

Posted in