Over the past few weeks, several of our clients have received emails that look like they’re from well-meaning security researchers. These messages, sent from various Gmail accounts, all follow a strikingly similar structure. Here’s how they typically start:
“Dear Team,
I am a bug bounty hunter with a focus on securing websites and responsibly disclosing vulnerabilities…”
They go on to explain that they’ve discovered a Denial of Service (DoS) vulnerability in the site, often pointing to a file like load-scripts.php, and offer instructions on how to fix it. The email usually ends with a nudge:
“I look forward to your response and hope for a bounty reward for responsibly disclosing this issue to your website.”
Let’s take a look at what’s really going on here, and whether you need to worry.
Understanding the “vulnerability”
The emails generally point to a publicly known issue involving WordPress core files like load-scripts.php. This file, by default, is used to concatenate JavaScript files in the admin area to improve performance. In certain server setups, it could be targeted in a DoS attack by requesting it with an excessive number of parameters.
Sounds concerning, right?
Here’s the reality: if you’re hosting your site with a reputable provider (like we do at Yardstick), you’re already protected. Many premium managed WordPress hosts proactively mitigate these types of threats through built-in server-level security measures and rate-limiting. In fact, we reached out to our hosting provider directly, and they confirmed that their infrastructure is already set up to prevent this kind of exploitation.
Bug bounty or beg bounty?
This brings us to the bigger picture: is this a legitimate security disclosure or just a cleverly worded attempt to solicit money?
True bug bounty programs are typically run through platforms like HackerOne or Bugcrowd, where security researchers are rewarded for finding genuine, novel vulnerabilities in systems that explicitly invite this kind of testing. Importantly, these platforms have rules, vetting procedures, and clear scopes for what is and isn’t considered eligible for a reward.
By contrast, the emails we’re seeing are unsolicited, generic, and not part of any formal bounty program. The vulnerability mentioned isn’t new, isn’t exclusive to your site, and crucially, is already mitigated by good hosting infrastructure. It’s fair to say this falls into the category of what some in the industry call “beg bounties.”
What should you do if you receive one?
If you receive one of these messages, here is what to do:
- Don’t panic – These messages can sound alarming, but they often reference minor or mitigated issues.
- Don’t respond or offer payment – There’s no obligation to reward unsolicited vulnerability reports, especially when they offer no real value.
- Forward it to us – If you’re one of our clients, we’re happy to review these messages and confirm whether any action is needed.
Security through partnership
At The Yardstick Agency, we take your website’s security seriously. We partner with trusted providers, keep WordPress installations up to date, and apply best practices to harden your site against threats. And when something odd comes up like this wave of copy-and-paste “bug bounty” messages, we’re here to investigate and give you clear, actionable advice.
So, if you’ve seen one of these emails land in your inbox, rest assured that you’re not alone, and you’re not at risk. But if you ever have concerns, just drop us a line, and we’ll be happy to help.
Need help with your website security or hosting?
Get in touch with our Digital team at Yardstick. We’re always here to support advisers and planners with calm, expert guidance. Email us at hi@theyardstickagency.co.uk or call 0115 8965 300.
