Hi,<p>You are working on a product and the product is still in the beta stage, and someone out of the blue sends an email to you that your site has these security vulnerabilities(valid ones) and asks for rewards in return.<p>Has anyone faced this kind of situations? We are willing to give him the reward, but being in beta stage, we are still not sure as to what and how much we should reward him.
Speaking as a security consultant - don't give a reward. What they did is technically illegal and not in the spirit of security testing.<p>If someone finds a vulnerability accidentally (I've done this before), they won't ask for a reward if they are professional and the company has no bug bounty. It's reasonable to tell a company out of respect - it's unreasonable to ask for payment, that implies almost a ransom and will encourage more of it.<p>There is a problem with bug bounties these days in that they attract a lot of people desperate to get into the InfoSec industry who don't necessarily know what they're doing and have no professionalism (see @CluelessSec for example.) Don't encourage it by giving a reward.<p>Cold calling (or emailing) companies to solicit penetration testing is okay, casing the company for vulnerabilities and asking for payment is not. I do suggest you find someone to do a solid penetration test of your company however just out of principle.
A startup I worked for encountered this "unsolicited penetration testing."<p>If you offer them a reward or recognition, you are going to see many more vulnerabilities being reported to you. You are going to start seeing port scans on your machines and all sort of scraping looking for vulnerabilities. Some security vigilante is going to take down your service in the middle of the day with an overly aggressive script.<p>The best course of action is to fix the vulnerabilities, thank them for their contribution (in that order), and say nothing more. You don't have the time to manage a bug bounty program right now, and by giving them recognition or reward you are in effect starting an ad hoc bug bounty program.
You should probably take the time to think about how you're writing your software soon, and maybe consider the possibility of hiring a consultant to audit your code before you ship.<p>Also, what debacle said.