To think this email from an ethical hacker is blackmail?

[Insertfunnyname]

I own a business and we had an email from someone out of the blue to say by the way I've been looking around your website and discovered that XYZ is insecure and someone could actually hack this part.

I forwarded it onto our web developers saying "not sure if this is true etc but here's an email I got" they replied a bit red faced and said actually that does seem to be a flaw in the coding or whatever and we've fixed it. So I replied to the annonymous email saying that is very kind to email, thanks. Are you an existing customer? I was going to offer them a voucher or something to use on the website.

They replied and said they're not a customer, they're an "ethical hacker" and now they'd like to be compensated for their time! (not in the form of a voucher for our website obviously but actual money)

To me, this seems like someone tapping your door saying "I noticed that your front door was a bit rotten and under the weather. I've painted it for you, and now here is my invoice" When you hadn't asked them to, and they made no contact before doing it. Surely 'tradesmen' should actually offer their services, not do it and then present a bill!

It feels almost like a thinly veiled threat that if we don't now pay them they might cause us damage, or try and hack the website and probably 99% of people get freaked out and pay them just so they go away. Not all that ethical.

I just don't like their way of going about all this... it stinks! And I guess we will probably pay. They haven't told us yet how much ££ they want.

If the hack has been fixed then you could just ignore them, or just offer what you originally intended

Well I guess the fear is that they might not have told us about ALL the vunerabilities so that they have leverage if the 'client' doesn't pay.

This used to be pretty common a few years ago. Quite a lot of the “big” companies have a fund for this type of thing, where if someone ethically finds a hole, they’ll pay them for finding it and helping them to fix it before it became a major issue. HSBC, Barclays and Google still have events where they encourage it.

It doesn’t sound like they’ve threatened you, from what you’ve written, just that you feel odd about the request and now unsure about how secure your site is?

If that’s the case, I’d offer something reasonable to the person who made you aware, especially if it was the kind of issue that could have led to an ICO fine etc - and I’d probably talk to the developers about contributing to that, depending on your contract with them, and then how they can help you feel confident that there are no further holes.

If they’ve actually threatened you; that’s a bit different!

Your analogy doesn’t hold though. It’s not like someone finding your door rotten and painting it for you. It’s more like someone finding your door open, letting you know so it could be secured and then asking for a reward for stopping your things being nicked.

And if you don’t want to pay, you won’t be the first.

Well I guess the fear is that they might not have told us about ALL the vunerabilities so that they have leverage if the 'client' doesn't pay.

They’ve contacted you, so they’d be the first suspect if something now went wrong... and it wouldn’t be very ethical! Their goal is to make some money helping businesses solve vulnerabilities they don’t know about, and hopefully to get recurring business from the ones who then want more of the site tested.

The people who need to make sure there are no further vulnerabilities are your developers, in this case.

They aren't much of an ethical hacker if they did try to blackmail you. More grey hat really.

However they haven't technically threatened anything yet unless you've missed out a lot of details. A lot of hackers do this for big companies, they'll spot something, let them know and usually they get a reward. Facebook has been known to give thousands of dollars for spotting something.

You don't have to really, you could just reoffer the voucher or a big discount, or ask them what were they expecting?

Have your website developer look at the website for any other vulnerabilities, get them to check there is sufficient security in place and don’t enter into anymore contact with this person.

I wouldn't be paying them, you didn't ask for their services so they can get lost.

The email address they’ve used, is the domain for their website? If so, have a look and see how dodgy they look. And as others say, you’d know where any compromise came form if there was one, if the email is a ‘proper’ one.

Well it’s not very ethical to expect compensation for something most do just to stop people being exploited.

But you can hire people to look at your security systems (I forgot the name but basically they try and hack in and exploit any bugs in code etc they can find and then report back to you so you can fix them). Is your web team up to scratch?

Wow, so someone has showed you that your website was easy for hackers to attack and you are not grateful but looking for a way to not pay. True you didn't ask for it but imagine the damage to your business had you been hacked. If you have funds please think about a reward - think of it as they found your wallet and returned it full. You would reward that surely?

Well it’s not very ethical to expect compensation for something most do just to stop people being exploited

It's not very ethical to not bother securing your website and leaving your customers vulnerable? What's more, the company doing that is very probably acting illegally.

I would encourage the company to make their policy on this explicit - securitytxt.org/ - explains how, a bug bounty is not necessary, but it might be useful. When you consider Apple and Google etc. are spending millions per year on this knowing that they get very good return on that investment, it's really not a bad idea. Much better than the damage caused by someone who wants to exploit it.

They are being dodgy about it.

This is a sales technique but it involves more than I found x so pay me for it.

A legit business would ring up and have a discussion about the website after the initial email, and then they would present an estimate. If your company wants to hire them, the agreement would be signed along with the fee , what they'd be doing and expected time to finish.

@NonagonInfinityOpensTheDoor

Well it’s not very ethical to expect compensation for something most do just to stop people being exploited.

But you can hire people to look at your security systems (I forgot the name but basically they try and hack in and exploit any bugs in code etc they can find and then report back to you so you can fix them). Is your web team up to scratch?

Penetration testing - where I work we have teams of people doing this for customers - for £600+ per day.

Have a look at what the rate is per day for professionals to do this.

I would just reply saying you aren't in a position to offer financial compensation (I don't think many businesses are at the moment) but could offer a discount or whatever you had had in mind.
I would like to think the reason they checked out your webpage in the first place was their interest in your services/ products.

I wouldn't have even communicated with them tbh. I'd ignore them and leave it. If it starts getting threatening report to the police. They will have a cyber crime team to deal with this sort of thing. Also keep the original emails.

@Insertfunnyname explain that you are grateful for their help but would have needed to know upfront that this would have cost money in order to be able to follow the correct procedures and procurement. Explain you still want to offer them a voucher as a personal token of thanks.

Alternatively ignore any further correspondence.

We've had those emails at work. Thing is that actually having looked into it it's not correct in our case. I think they often pick something that several companies may have as an issue, and hope you'd respond. If you respond they know they have someone to work with.

I wouldn't have replied to them as they then know you're worried.

My ex used to do this. He was big into coding and computers, and was trying to set himself up as a freelance penetration tester. Mainly because the actual companies that provide this as a legitimate service thought he was so crap and big headed that they wouldn't hire him. He's a kids magician now, no word of a lie.

Just ignore it.

@Insertfunnyname

Well I guess the fear is that they might not have told us about ALL the vunerabilities so that they have leverage if the 'client' doesn't pay.

If that's the case they're not ethical, are they. They haven't fixed the roof, just pointed out it's leaking.

If they threaten to expose other loopholes if you don't pay them then isn't that blackmail or extortion?

I would suggest a review of your cyber security arrangements - look for a reputable, recommended supplier though.

Any other consultant or service provider might offer some advice or recommendations for free as part of their pitch for services but they wouldnt expect to be able to charge for services you hadn't solicited.

Probably shouldn't have emailed him - sounds like a scam/as if he's emailed multiple companies with the same thing

Should just have fixed it

I can't believe you replied to someone who broke into your website. Would you offer an "ethical burglar" a voucher for breaking into your premises and not stealing anything? Bizarre.

"And I guess we will probably pay."
Why? Why not just stop replying to chancers? Why let yourself be intimidated by something just because you don't understand it? You have an IT department. They will (or should) back up everyone's work and check for other vulnerabilities, or get an outside company in who they have vetted. This person hasn't actually done any work for you, they've made you work.

Don't be ridiculous. If you're now concerned there are other weak points do what other companies do and pay for penetration testing.

If you're now concerned there are other weak points do what other companies do and pay for penetration testing

Or just offer a bug bounty, which is considerably cheaper, and exactly what this bod was doing for free, they'll be even more motivated if it's for a small bit of cash.

Personally I'd wonder what else they may have found that they didn't tell you about. They've already confirmed the people you paid to do the job weren't up to it, and that you didn't spot that.