Organizations with a program simply filter out such reports and point submitters to the program/policy explaining why these types of reports don’t qualify for payment. Those without programs, however, are likely unprepared to deal with these “security advisories.” They may overestimate the severity of the risk reported and can find it harder to explain that they don’t pay for bug reports at all, let alone something of low severity. Enter the beginning of the “beg bounty”. I wrote about this a few weeks ago, and it seems to have struck a chord with some of our readers. Security engineers reached out with their own experiences, and I learned of a couple more examples fielded by the security team at Sophos. The concept of begging for a reward for innocuous or meaningless reports appears to be reaching a fever pitch.