Menu
 
» »Unlabelled » Firefish Bug Bounty Scam

A+ A-

 

As an independent security researcher, I believe in responsible disclosure and helping organizations improve their security posture. This post documents my experience reporting multiple security issues to Firefish and the events that followed.

The Reports

Over time, I identified and responsibly disclosed multiple security-related findings affecting Firefish. These included:

  • Content Spoofing via Email Parameter
  • Missing Rate Limiting on Admin Login
  • Deprecated TLS 1.0 Supported
  • Missing Rate Limiting on Sign-Up Enables Mail Bombing
  • Missing X-Content-Type-Options Header
  • Missing HTTP Strict Transport Security (HSTS)
  • SPF Softfail (~all) Allows Email Spoofing
  • Weak DMARC Policy (p=quarantine Instead of p=reject)
  • Password History Reuse Allowed (Missing Password History Enforcement)
  • Server-Side Denial of Service via Unrestricted Password Length
  • Missing Content Security Policy (CSP) Header
  • Missing Self-XSS Protection

Each report was documented and submitted through the appropriate channels following responsible disclosure practices.

Payment Discussions

After the reports were submitted, I was informed that a reward would be processed within one week. When that deadline passed, I was told the payment would be made the following week instead.

During the process, I was asked to provide a complete list of all the issues I had identified so they could be evaluated together. I complied and submitted all of the findings.

However, after the review process, all reports were ultimately classified as informational or otherwise ineligible for a bounty reward. Instead, I was offered a goodwill payment of 100 EUR.

 


 

Email : gorrdy@firefish.io


 

My Concerns

Based on the scope and severity of the reported issues, as well as the time invested in identifying, validating, documenting, and responsibly disclosing them, I was disappointed with the outcome.

My primary concern is not only the reward amount but also the process itself. Payment discussions took place, timelines were provided, and additional information was requested before the final decision was communicated. The delays and lack of clear communication made the experience frustrating.

Why Transparency Matters

Bug bounty and vulnerability disclosure programs rely on trust between researchers and organizations. Researchers invest their time and expertise to help companies identify and fix security weaknesses before they can be abused.

Clear communication, transparent evaluation criteria, and timely responses are essential to maintaining that trust.

Final Thoughts

This article reflects my personal experience with Firefish's vulnerability disclosure process. I remain committed to responsible disclosure and security research, but I also believe researchers should be able to share their experiences openly and factually.

Additional Findings

Following the outcome of this process, I decided not to continue reporting additional issues that I identified during my research.

At the time, I had reason to believe there were further vulnerabilities that warranted investigation, including a potential SQL injection issue. However, given my experience with the review and reward process, I chose not to invest additional time in preparing and submitting further reports.

I believe responsible disclosure works best when there is mutual trust, transparent communication, and fair treatment of researchers. Unfortunately, my experience in this case left me unwilling to continue dedicating further research efforts to the platform.


Posted by

Share to:

at Monday, June 15, 2026

Post a Comment

  1. Jobert Evans15 June 2026 at 05:29

    Scammers Shared On My Blog Too Blacksheep !!

    ReplyDelete
  2. Jan Dvorak15 June 2026 at 05:30

    Firefish here. A few facts for anyone reading, since the post leaves out some important context.

    On the findings: every item reported falls into the security-hardening / best-practice category — missing HTTP headers (HSTS, CSP, X-Content-Type-Options), SPF/DMARC configuration, TLS version support, rate-limiting, self-XSS, and password-history. Across the industry these are triaged as informational and are generally not eligible for a monetary bounty.

    On payment: the post mentions a single 100 EUR figure, but that isn't the full picture. We actually made three separate payments over the course of the engagement — 200 EUR, 110 EUR, and 100 EUR (410 EUR in total) — so the researcher was compensated on an ongoing basis, even though these categories would not normally qualify for a bounty at all.

    On the SQL injection: the researcher declined to disclose any details unless paid first, without specifying or evidencing the issue. In his own words: "Decide it's bounty first. And pay 75% in advance," and "If you decide and pay valid bounty for my previous report then I don't need advance payment will send sql injection first." We don't pay for undisclosed, unverified findings up front. The standard everywhere is: report first, verify second, reward last.

    We remain happy to assess any verifiable, in-scope vulnerability submitted in good faith through coordinated disclosure.

    ReplyDelete
    Replies
    1. Henry Paul15 June 2026 at 05:42

      I will share entire conversation video and what you paid and why you paid .

      Delete
  3. Pawan Sahu15 June 2026 at 05:50

    Let's make him famous on bitcointalk

    ReplyDelete

Subscribe to: Post Comments (Atom)
 
Top