Jay Niffley, Man of Mystery
Yesterday I received a brief message to an email address listed in various security.txt files:
Date: Sun, 3 Nov 2019 21:36:01 +0100 From: Jay Niffley <jayniffley  gmail.com> Subject: Security issues Hello, I´ve found some security issues in your website. Where can i report these issues over? Do you reward for valid security issues? Thank you! -Jay
A Google search for the name "Jay Niffley" was unproductive, and it's likely no real person by that name exists. But the "jayniffley" handle has been used at least once before, in what appears to be an attempted XSS probe on a cryptocurrency wallet manufacturer's support forum. The forum post containing the failed XSS attack references
Not knowing whether this vague contact was a legitimate inquiry, I replied with the appropriate contact information and the disappointing news that no bounties are available. Then I took to Twitter, soliciting others who might have received the same message. Several folks confirmed getting a copy to their own security.txt contact addresses. One analyst who replied with a bounty offer was provided with some low-severity bugs, though the conversation quickly degraded, "Niffley" expressing displeasure with the proposed resolution timeline.
It's unclear whether this is an earnest actor attempting to report valid problems, or someone who's running a series of automated scans and carpet-bombing security contacts hoping to scare up some reward money. After declining to pay a bounty, I never heard back from him. If you have insight, feel free to reply to the tweet.