(no title)

I agree. But there are advantages to be gained beyond mere payment. Assuming the work is somewhat more that just "I fed your name into ssllabs")

Say you find a genuine issue. You can document it and send it to them. You might suggest an appropriate amount, but you've given them something to evaluate. Chances are you get nothing, but there is still other value in the exercise.

You can also add this to your portfolio. Once you have a few of these apply for jobs at security firms. They can judge your skill level to see if you're worth adding to the team.

You can also determine if this is a whole class of problem. Publishing the issue (without naming the company involved) raises your profile. You can leverage that profile into paid work down the road.

Of course you should understand all this before you "do the work" in the first place. If you're gonna do random drive-by work you should understand your goals. Given that the parent did not disclose, presumably there was some other motivation in play.

There are thousands of established bug bounty programs on the web. Ones in which companies actually solicit these messages. The reason these beg bounty hunters are sending unsolicited emails instead is because these programs explicitly descope all these stupid and irrelevant findings. If you want to establish your bonafides, this is a terrible way to go about it, especially given the legitimate alternatives.

> The OP comes across a bit gatekeepy to me.

Hard, hard disagree. I'm glad this "beg bounty" behavior has a name for it, because it's so f'ing obnoxious, and so common, and all it really does is make it that much harder when a serious researcher does need to report a real vulnerability.

Let's not pretend there is some sort of gray line between what responsible disclosure looks like, and what bullshit beg bounty disclosure looks like - after all, Hunt does an excellent job showing the difference. He showed an email he wrote that identifies where he's from, and gives clear verifiable evidence of a serious breach. That is night-and-day different from the "I found something naughty on your website, will you pay me??" example from the beg bountier.

Point being, if you are a serious researcher and you have actually found a high-value vulnerability, there are proper ways to message that even when you feel compensation is warranted. These beg bounties never look like that because they all have the same achilles heel: the "vulnerability" is such an eye roller that they can't actually give evidence of it before asking for money precisely because they know it's so low value.

> Quality of the findings is orthogonal to asking for compensation

This is a terrible take. Orthogonal to having a reputation, sure. Orthogonal to having a particular certification or credential, absolutely. But quality is absolutely non-negotiable. If your work is bad and nobody asked you to do it then you’re not a professional, you’re a charity.

The issue here is that these people aren't providing value. Further, engaging with them as serious and sincere costs in time and energy. That's expensive when there's no payoff. From my own experiences, beg bounties reliably do not have findings of a useful quality and the begging approach is a very strong signal that the juice will not be worth the squeeze.

The piece is gatekeeping in the same way the spam filters we all use are gatekeeping. There's always stuff we want to keep on the far side of our filters. Beg bounties are among them for many.