There's two takes to this one.
The first is that it's a legitimate bug-bounty hunter. If your
organisation doesn't have a published disclosure policy, this is a good
prompt to ensure you have one.
See also RFC9116 and https://en.wikipedia.org/wiki/Security.txt
Of course, any security researcher worth their salt will have already
looked for this, so if you have one, and they're emailing you with the
question anyway, you can probably ignore it without any consequence.
If you don't have one published, and there's any chance at all that the
enquiry could be legit - acknowledging that Gmail fully anonymises their
email operations such that bad guys use their services as much as good
guys do - you may want to send back a response answering their (possibly
legitimate) question.
Back to Gmail and anonimity,
This is also entirely likely to be some form of contact validation spam
- looking to get you to engage or acknowledge in order that your address
is proven valid/real and perhaps soften you up for a malware delivery
attempt. Once again, anonimity means that gmail is a hive of this sort
of activity because there's no real consequence for the sender, even if
Google reacts to an abuse report.
If you suspect maliciousness:
- Report via https://support.google.com/mail/contact/abuse,
- ignore/delete,
- move on having let it consume as little of your time and energy as
possible.
My (somewhat cynical but as yet not disproven) view is that Google
appear to have no real interest in stopping this sort of thing (as
evidenced by the fact that scammy use of gmail.com addresses continues).
But... proactively publishing a disclosure policy, a security.txt file
and ensuring it's accessible to genuine security researchers is a good
way to separate the wheat from the chaff, as it were.
Mark.
On 2025-10-24 09:39, Anthony Howe via mailop wrote:
I've seen TWO of these messages from different Gmail addresses this
week so far. Has anyone else seen these? Domain changed to protect
the potentially embarrassed.
Anthony
-------- Forwarded Message --------
Subject: Reporting a Security Vulnerability
Date: Thu, 23 Oct 2025 13:27:58 -0700
From: [email protected]
To: [email protected]
Dear Support/Security Team,
I hope this email finds you well. My name is Mohamed Ibrahim, and I am
a security researcher/bug bounty hunter with experience in identifying
and responsibly disclosing security vulnerabilities.
While testing some technology, I have identified a security
vulnerability within your domain EXAMPLE.COM <http://EXAMPLE.COM> . To
ensure responsible disclosure, I would like to report this
vulnerability to your team. Could you please provide guidance on your
preferred process for submitting security reports? For example, do you
have a dedicated bug bounty program, a security contact email, or a
vulnerability disclosure policy?I am happy to provide further details
about the issue upon your confirmation of the appropriate reporting
channel.
My goal is to assist in securing your systems while adhering to best
practices for responsible disclosure.
Best regards,
Mohamed Ibrahim,,
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
