Beg Bounties

Posted on Sun 19 April 2026 • 3 min read

With the rise of AI, I fear Beg Bounties will take off like wildfire.

I’ve been running this website for many years, using it to test out new tech - but always with security in mind.

When I first heard about security.txt I ofc had to add it to my website. This has led to a bunch of Beg Bounty emails. Recently1, I got this, which is probably the most stupid to date.

Let’s dig in!

A beg bounty security "advisory"

soooo they found out methods GET and HEAD is allowed, which is correct!

I’m using the Caddy webserver, so the totally safe, side-effect free, and idempotent verbs are indeed allowed. We can actually find all the allowed methods by making a request with a bad method (BADMETHOD) and look at the allow response header:

Using curl to find allowed methods

The “bug report” continues to tell me that other methods might be dangerous, but me allowing GET/HEAD has severity medium, hmm 🤔

What are they recommending we do instead?

A beg bounty security advisory "recommendations"

Ahh, so allow GET/HEAD, which is already what we do? 🙃

The advice is followed by another yet stupider recommendation, which is to block “dangerous” methods, … sigh, please don’t do that, how are we supposed to do RESTful API’s if not allowed to use the correct verbs?

The beg bounty email continues with bad advice on implementing “verb blocking” for nginx/apache - even though I’m advertising Caddy in my server-response header.

No thanks.

  1. Okay, not really recently, but this text has been sitting idle for a long time without anywhere to publish it