Should I respond to an "ethical hacker" who's requesting a bounty?

A true "ethical hacker" would tell you what issue (s)he found in your system, not ask money for that; (s)he could offer to fix it as a contractor, but that would be after telling you what the actual problem is; and in any case, it's a completely different thing from just trying to scare you into paying.

This is plain and simple blackmail.

(Also, it's a very real possibility that there is no real vulnerability and someone is just trying to scam you into paying money for nothing).

While this might be blackmail, there are many possibilities for genuine good intents, too. Therefore, here's some more comprehensive thoughts on how one might handle unsolicited vulnerability reports. In short: you have every reason to be cautious, but you do not have to be rude.

Who may find vulnerabilities and why?

Ethical hackers perform their analysis based on a contract typically with predefined targets and limitations. These might be ordered assignments or more loosely defined bug bounty programs, either directly or through a platform like HackerOne. In any case, an ethical hacker (or a white hat hacker) always has an explicit permission.

From the details in this question alone it is hard to tell whether the message you got is a clear scam or someone with good intentions but lack of understanding – or willingness to adhere to ethical standards. The latter grey hats might even violate laws, but they do not have malicious intentions. The penetration testing industry is also extremely trendy, so there are all kinds of self-appointed penetration testers, ethical hackers, security researchers etc. with varying skills (or complete lack of them). In this case they may benefit from some gentle guidance, whereas false accusations might lead them to wrong direction.

I have found several vulnerabilities by accident, without an intention to poke the system in any way. These cases are usually rather harsh, and I do hesitate whether not to report it at all, report it anonymously, or report it with my name, which would give me the possibility to help them with further questions. The reality is that because I did not have a permission, the receiver may interpret or handle my report with unexpected ways, possibly causing me legal charges or other problems. So far, they have been sympathetic towards me.

Do you benefit from these findings?

You are asked to pay for the findings, but without knowing the details you cannot be sure whether they are worth paying at all. Vulnerabilities comes in all shapes and sizes. Some of them are critical, and some are minor. Some may also seem problematic from outside, but are completely irrelevant to you, or within your accepted risk. One simply cannot sell vulnerabilities in pieces, bundles, kilograms, or liters.

Two examples of completely worthless reports I have got recently, both with genuine intent.

1. A message suggested a reward for finding a web page protected by HTTP basic authentication, which indeed is not a secure authentication method. However, as it was only an extra layer of security before an actual login page, and not protecting any critical system anyway, it was not really a vulnerability at all. Therefore, the finding had zero value for the company.

2. A report of a missing SPF record. The explanation was correct and all, but the record was not missing! Instead of querying from DNS, the "bug bounty hunter" had used a web-based SPF lookup tool but used http://example.com instead of example.com. Due to this syntax error it did not show the record.

Therefore, in order to judge the value, some details of the vulnerability must be disclosed. If someone who has found the vulnerability thinks giving out these details may result in losing the reward, the vulnerability may actually be worthless: known, easy to spot with automated tools, within accepted risk, too minor, or otherwise irrelevant. On the other hand, if the vulnerability is severe, it is often also so complex that giving some proof of concept will not completely help fixing it. The additional work required to describe and address the vulnerability is valuable and will be paid.

It's not unusual for someone who discovers a security vulnerability to be paid a bounty for their discovery. A lot of prominent open source projects and web sites have policies of paying a bounty for responsible disclosure of a vulnerability. I don't know how common it is for companies to pay a bounty without having some sort of bounty program set up in advance though.

I received a bounty for reporting a security bug in a very prominent open source web application. Here's how it worked in my case:

• I reported the vulnerability to the development team via their preferred reporting method, including the fact that if the bug was eligible for a bounty I would be interested (they had a public bug bounty program).
• I kept knowledge of the vulnerability confidential while the team identified and patched the issue.
• When a patch was released the notified me that my report was indeed eligible for a bounty and how much they'd be prepared to pay.
• At this point I was free to discuss my vulnerability publicly (although chose not to do so).

The key points here are that:

1. The report was made without holding the details for ransom until I was paid.
2. Details of the vulnerability were not made public until the vendor was able to make a fix.
3. If the issue I reported was not in fact a security bug, I wouldn't be paid.
4. The vendor decided how much the vulnerability was worth. They did have a public table of "Vulnerabilities of type X will be paid up to $Y" on their web site.

While I only have direct experience with this one vendor, I believe this process is pretty typical for most.

In your situation I would:

1. Insist that the vulnerability be disclosed responsibly. i.e. To you, directly, and without any form of public, or semi-public disclosure by your "hacker". You want to be aware of this before everyone else, that's one of the things you're paying for. If your hacker posts about this publicly, or talks to his mates about it, then there's no deal.
2. Insist that details of the vulnerability are to be verified by a security expert. Given you say you're a one man show without a lot of expertise in security, that probably means hiring someone on contract to assist you.
3. If your expert agrees that it's a security problem, they'll be able to give you an idea of its severity and YOU can decide what it's worth.

How much should you pay? That's up to you. In my case, the vendor rated the bug as "critical" then it was patched. It could have led to serious compromise, but would have been difficult to do. I was paid a little under $5k for my efforts, which was near the top end of the range quoted on their web site.

Also, if they're just telling you about a known security vulnerability in a bit of third party software that's probably not worth much. e.g. if you were running an old version of WordPress and the bug was a known WordPress vulnerability.

Is this black mail?

If they insist that you don't get details until a bounty is paid. Yes. That's not how these programs usually work, a proper ethical hacker knows that.

Is this his way of saying you'd better pay me or I'm going to wreak havoc?

A proper ethical hacker isn't trying to wreak havoc. Nor will they be selling the vulnerability to someone else if you don't pay. But that assumes you're dealing with a legit ethical hacker, not some troublemaker who's trying to rip you off or cause trouble.

Or is this a typical and legitimate method for people to make a living without any nefarious intentions?

After I earned my bounty, I did the maths, and figured I could potentially earn a living collecting bounties. It is possible. Whether that's what your guy is up to, who knows. Trying to collect bounties from companies that don't have formal bounty programs is a pretty risky way to go about it though, which counts against your guy IMHO.

Yes, that is blackmail.

The responsible thing to do is to inform you privately. Perhaps with a disclosure policy of eventually going public if no response after some time.

A more polite way of doing business would be a hint that you would get more reports if you offered a reward via a bug bounty or similar. But still forward the issue details regardless.

Considering hiring a security person (not this "hacker") to evaluate your systems. Whatever form that takes, a one-off engagement to do a security assessment, a bounty, or a migration to a hosted platform to outsource operations to someone else.

@GlennWillen's comment hit the nail on the head:

Even if the "vulnerabilities" are real, you should not assume they are useful unless you understand them in context yourself. For example, is there any actual way to cause harm by embedding your site in an iframe? I get these spam "vulnerability" emails all the time, but the site in question is a static marketing page with no user login capability, so there is no possible use in performing a clickjacking attack on it. These people just run "vulnerability scanners" against your site, then ask you for money. They don't actually understand the output of the tools.

To say it more pointedly: given the two security issues mentioned by the "hacker" (SPF ?all and clickjacking), it is most likely that the hacker has not spent any significant time or effort specifically examining OP's site.

Therefore, to avoid being marked for more specific targeting, OP should not respond to the email.

OP should check about these issues with a real security expert, but should not engage with this "hacker".

As someone working in information security and receiving quite a lot of such reports, a few comments:

• if the hunter makes a payment a condition to reveal the vulnerability you should pass. This is either a false report, or a report from someone who is not professional (and therefore of zero or low value)
• if the hunter provides you with a partial evidence and requests money for the rest (say, they show that they accessed to more data than they should have), it is blackmail. The major problem here is that you are not likely to know how to fix the issue (or maybe even understand if this is an issue at all). So paying for just the finding may not give you much. OTOH if you know someone who can fix it then it may be with a shot, after running what you have through that "someone who can fix it"
• if they gave you everything then you still probably need someone to fix it. If you do a gesture would be nice (even in the form of some swag - that is a gift of some sorts, it depends on plenty of factors).

You may also feel that you do not care about security - this is perfectly fine assuming that you are aware of the consequences. Since you run an internet based business I think this is not an option.

You may consider moving your business to a SaaS solution, though, if this is conceivable and let others worry about such things (including security).

Bug bounties work the other way round!

How do they work:

1. A service provider or software vendor announces "bug bounty program" beforehand.
2. A more or less ethical hacker finds a bug. They REPORT the bug usihg the method of communication announced in the bug bounty program. They may as well share it to some reputable security-related media or experts, who promise to keep silent for a while.
3. The bug is evaluated by the affected parties. They decide to pay (or not to pay) the bounty and contact the hacker about the details. (They also eventually do fix the bug.)

If they don't react the proper way in a timely fasion, the hacker, the other security experts or the media involved may publicly disclose the bug, the failure of the bug bounty program and/or other details.

Yes it is blackmail.

I have read computer law in graduate school, but speaking as an ethical hacker and bug bounty hunter myself, I never try to find vulnerabilities (known as pentesting) on websites I do not own or have express permission to test.

Bug bounty programs are there for a reason - to give hackers an avenue to find vulnerabilities and earn money for it. Testing without permission, or without a bug bounty program that automatically grants permission based on certain conditions, like what the so called 'ethical hacker' has done, can be reported to the police as it is a cyber crime - no different from a malicious hacker.

I realise that my answer is kinda late and you might have already paid, but anyone reading this in the future should absolutely not pay to these self-proclaimed 'ethical hackers'.

Now, on to the 'vulnerabilities' themselves: Neither of them are real vulnerabilities!

They are simply security best practices at best. I used to manage a bug bounty program and these kind of reports (SPF records allow spoofing, Clickjacking) are simply a waste of time. If you do a simple google search for them, you can see that the vast majority of bug bounty programs run by any company will automatically put these reports in the trash and possibly blacklist these reporters. It's because these 'vulnerabilities' have no real impact. Thus, the reporter isn't just a blackmailer; he's also a scammer for exaggerating the impact!

I believe him.

You should not believe people without actual credentials. By credentials I mean actual proof of their ethical hacking activities, such as having multiple CVEs to their name or having participated in security hacking competitions (CTFs) with a good track record, or having presented at any technical conference, or simply having been listed on at least one Hall of Fame in any bug bounty program, etc..

And definitely not a random guy demanding money from a small site without a bug bounty program.

Does the information provided speak for itself? And can it be validated? I might be inclined to respond promptly if the first is true, saying I am proceeding toward due diligence around the information provided.

If all is confirmed, what is the value of this information to you?

What type of relationship would you like in support of these interests? I would expect to know a person's expected form of payment and business entity as well as other details related to the norms of business. I'd ask for all of this in my response.

Negotiate with the person to proceed if you want to do business, having in mind that you could change your mind anytime--both for or against.

If they turn out to be engaged in criminal activity you'll need to provide all the collected information to the authorities (FBI?).

Otherwise you may have both a better service, saved resources and a good value. Keep in mind anyone can change behavior and business relationships anytime. It's helpful to establish trust and clearly lay the cards out. Don't assume they're out to extort you regardless of style of presentation. It helps to maintain professionalism, clarity and integrity such that everyone can leave with their dignity. Hope this provides substantive context and contrast as well as usefulness in your situation.

I find it most likely that this is spam mail, which means that the proper response is no response.

Somebody gets a list of small businesses and sends emails like that to everybody. Out of the millions targeted, a few will bite and send them money.

In addition to losing that money, the victims are now on a list of gullible people, people who will be targeted for further scams, involving more personal attention from the scammer and more money.

Don't end up on the gullible people list.

Of course, you should also tighten up your security anyway:

Backup your data. Make sure the backup is not hackable, just put it on a disk that is not plugged in.

Change your passwords. Don't use the same password for different services.

Make a schedule for backing up your data periodically.