{"id":8069,"date":"2025-10-31T04:03:56","date_gmt":"2025-10-31T04:03:56","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/31\/32436\/"},"modified":"2025-10-31T04:03:56","modified_gmt":"2025-10-31T04:03:56","slug":"32436","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/31\/32436\/","title":{"rendered":"X-Request-Purpose: Identifying &#8220;research&#8221; and bug bounty related scans?, (Thu, Oct 30th)"},"content":{"rendered":"\n<div>X-Request-Purpose: Identifying &#8220;research&#8221; and bug bounty related scans?, (Thu, Oct 30th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>This week, I noticed some new HTTP request headers that I had not seen before:<\/p>\n<blockquote>\n<p><tt>X-Request-Purpose: Research<\/tt><\/p>\n<\/blockquote>\n<p>and<\/p>\n<blockquote>\n<p><code>X-Hackerone-Research: plusultra<br \/>\nX-Bugcrowd-Ninja: plusultra<br \/>\nX-Bug-Hunter: true<\/code><\/p>\n<\/blockquote>\n<p>The purpose of these headers appears to be to identify them as being sent as part of a bug bounty. Some companies request the use of these headers as part of their bug bounty. For example, see Web.com&#8217;s Bugcrowd page [1]. If you see these headers, there is a good chance that the request was sent as part of a bug bounty. At the same time, it is a bit odd that we see these in our honeypots. But some of our honeypots are part of corporate networks, and it is possible that they are in scope for a bug bounty. If the header is genuine, the username of the researcher would be &#8220;plusultra&#8221;. On the other hand, there is no guarantee. Anybody may send this header.<\/p>\n<p>The idea of sending a header like this makes some sense. This way, it is easier for a company to contact a researcher in case the scans are causing any issues. From a defensive point of view, you should probably just ignore these requests. I would not treat them any differently from any request without the header. Blocking requests with these headers does not make a lot of sense, nor does allowing them. Just block (or allow them) based on the remainder of the request.\u00a0<\/p>\n<p>And, for any website out there that doesn&#8217;t have it yet: Setting up a \/.well-known\/security.txt file makes a lot of sense [2].<\/p>\n<p>[1]\u00a0https:\/\/bugcrowd.com\/engagements\/webdotcom-vdp<br \/>\n[2]\u00a0https:\/\/datatracker.ietf.org\/doc\/rfc9116\/<\/p>\n<p>\u00a0<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"x-hackerone-research, x-brugcrowd-ninja, x-bug-hunter headers\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/Screenshot%25202025-10-30%2520at%25209_20_36%25E2%2580%25AFAM.png?ssl=1\" style=\"width: 1px;\"><\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32436\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>X-Request-Purpose: Identifying &#8220;research&#8221; and bug bounty related scans?, (Thu, Oct 30th) This week, I noticed some new HTTP request headers that I had not seen before: X-Request-Purpose: Research and X-Hackerone-Research: plusultra X-Bugcrowd-Ninja: plusultra X-Bug-Hunter: true The purpose of these headers appears to be to identify them as being sent as part of a bug bounty. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-8069","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8069"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8069"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8069\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}