Possible case of extortion from a researcher?

Monday one of my site was under an attack of an hacker.
Yesterday I received an e-mail from a person that I could find as a open bug bounty researcher. My site is not in the open bug bounty list of sites to test.
This person have said to me that he found critical bugs. I reply to him and I asked for more information via mail.
Today he replys that firstly he want to discuss about one payment.
In my opinion this is an extortion. I have not ask for this service.
how I should behave?
thaks in advance.

In what way? As long as that person does not attack your site everything should be fine. I agree, that person should not have run an alleged test in the first place and, particularly with the entire payment story, I’d question the “open bug bounty researcher” thing a bit but that alone still doesnt make it extortion.

I’d be careful. It could also be an attempt to scam people.
If you’re concerned now, you could ask a legit research company to run tests against your web services.

Sounds a lot like this one:


Give this scanner a quick try. It will probably be good news, but if there’s a warning, at least you’ve got something to start with and find someone competent to look into this.


Also, if you’re using wordpress:

docker run -it --rm wpscanteam/wpscan --url www.example.com
1 Like

Hi dayman, thank you a great article!

Hi and thank you all for replies.

this night the attack did reprise. I don’t use Wordpress but a proprietary CMS. It have resisted, no istrusion, no viruses, no other bad things. only heavy traffic on the site. I have controlled accuratly code and server.

With Cloudflare I blocked the hacker, so at the moment all is good.

I decided to not pay. and ignore this guy.
I think it is the right choice.


This topic was automatically closed after 14 days. New replies are no longer allowed.