This week, I noticed some new HTTP request headers that I had not seen before:

X-Request-Purpose: Research

and

X-Hackerone-Research: plusultra
X-Bugcrowd-Ninja: plusultra
X-Bug-Hunter: true

The purpose of these headers appears to be to identify them as being sent as part of a bug bounty. Some companies request the use of these headers as part of their bug bounty. For example, see Web.com's Bugcrowd page [1]. If you see these headers, there is a good chance that the request was sent as part of a bug bounty. At the same time, it is a bit odd that we see these in our honeypots. But some of our honeypots are part of corporate networks, and it is possible that they are in scope for a bug bounty. If the header is genuine, the username of the researcher would be "plusultra". On the other hand, there is no guarantee. Anybody may send this header.

The idea of sending a header like this makes some sense. This way, it is easier for a company to contact a researcher in case the scans are causing any issues. From a defensive point of view, you should probably just ignore these requests. I would not treat them any differently from any request without the header. Blocking requests with these headers does not make a lot of sense, nor does allowing them. Just block (or allow them) based on the remainder of the request. 

And, for any website out there that doesn't have it yet: Setting up a /.well-known/security.txt file makes a lot of sense [2].

[1] https://bugcrowd.com/engagements/webdotcom-vdp
[2] https://datatracker.ietf.org/doc/rfc9116/

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|