I run a small internet based business from home and make a living at it to feed my family, but I'm still a one man show and internet security is far from my area of expertise.
Yesterday I received two emails from a guy who calls himself an "ethical hacker" and has identified two vulnerabilities in my system which he says could be exploited by hackers. I believe him.
The problem is, at the bottom of each email he says he "expects a bounty to be paid". Is this black mail? Is this his way of saying you'd better pay me or I'm going to wreak havoc? Or is this a typical and legitimate method for people to make a living without any nefarious intentions?
EDIT: For more clarification: He gave me two examples of vulnerabilities with screenshots and clear instructions on how to fix those vulnerabilities. One was to change the "?all" part of my SPF record to "-all" to block all other domains from sending emails for my domain. In the other email he explained how my site was able to be shown inside an iframe (enabling a technique called "clickjacking") and he also included an example of the code and instructions on how to prevent it.
Best Answer
A true "ethical hacker" would tell you what issue (s)he found in your system, not ask money for that; (s)he could offer to fix it as a contractor, but that would be after telling you what the actual problem is; and in any case, it's a completely different thing from just trying to scare you into paying.
This is plain and simple blackmail.
(Also, it's a very real possibility that there is no real vulnerability and someone is just trying to scam you into paying money for nothing).