What to do if a ‘white hat hacker’ requests a bounty?

By Roman Berezhnoi December 21, 2022 271 views

What to do if a ‘white hat hacker’ requests a bounty?

You are the one who runs your business to feed your family and make this world a little bit better. You have low expertise in web security. Honestly, many website owners only care about their websites’ security once hackers use vulnerabilities. A hacked site is a nightmare for any business owner because it affects reputation, SEO, and revenue. You know that even if you have never faced such a problem.

That is why one email can make you think about your website’s security.

From time to time, many companies, from small home businesses to SaaS product companies, receive the email like this:

This is the typical email of an ethical hacker that includes the minor vulnerabilities, a few details and requesting bounty reward.
An ‘ethical hacker’ email

Many people think about what they should do after receiving these emails. Which options are here?

The first thing that comes to mind is asking people in social media groups or forums. But many people have never faced such cases, and you may get the weirdest advice.

In this article, we have collected typical tips and looked at the pros and cons of one for business website owners.

Ignoring these emails

Ignoring the ‘white hacker’ email is the worst option you could use. Usually, these guys use standard scripts, DNS checkers, or well-known tools to find vulnerabilities. Their common targets are WordPress sites because many use this platform for business sites with insecure plugins and inadequate website protection.

Hence, if a ‘white hacker’ find security issues, you can find them too.

F5 Studio’s recommendations
You can use several ways to detect clickjacking vulnerabilities, for example, OWASP, or check your site headers with https://securityheaders.com/

If you find vulnerabilities, you can contact an experienced web developer who can fix these issues.

In this article, you will find standard ways to improve your WordPress site security and protect it against proxy mirroring.

Send ‘white hat hacker’ some money

At forums, many people suggest you pay the ‘white hat hacker.’ But it is not a good idea. Why?

First of all, any white hat hacker always has explicit permission to check sites and run tests based on a contract with predefined goals and limitations.

It is unethical to use tools and scripts to test somebody’s site without a website owner’s permission (I must add this applies to search engine optimization too). 

Second, asking for a bounty reward looks like blackmail. Some ‘white hat hackers’ neglect to mention a beg in the first message but send it in the next. Many web security specialists define it as a standard dishonest scheme many scammers use. 

If a person wants to be a web security researcher, they will be involved in Bugcrowd, HackerOne, or other legit companies and organizations.

So, do you need to pay money to the beg bounty hunter? The answer is no! You do not need to pay a ‘white hat hacker’!

F5 Studio’s recommendations

First, do not pay these ‘white hat hackers’ because it encourages blackmailing. Publicizing the ethical hacker’s email and your discussion would be better. Use your corporate social media accounts. If the person is a really ethical hacker, they will provide detailed information about your website vulnerabilities and offer services to fix these issues. If the person is not a white hat hacker, you will help many people to avoid this scam.

Also, the publication of your and a ‘white hat hacker’ discussion will draw the web security specialists’ attention. Some of these specialists will be happy to give you advice for free. 

Contact a real web security specialist

It seems obvious, but some owners of websites ignore this way. Only experienced web developers and security specialists can detect website vulnerabilities and know which are critical and which are minor. Also, automated tools can’t identify all critical website vulnerabilities, hence hiring an experienced person is a good idea because hackers can use your site for fraudulent schemes or attack your business and reputation. In fact, a hacked website is a big problem, and the solution will take a lot of time and money.   

F5 Studio’s recommendations

Life and practice prove that it is easier to prevent hacking a website than to deal with the consequences. When you hire a team of web developers, they should add security settings and recommendations to the scope of the project tasks. 

Anyway, you can test and improve your website security any time if you hire experienced specialists.


When F5 Studio’s team received the ethical hacker’s email, we were surprised by how many people face this problem and how little information a website owner can find about that. That is why ‘white hat hackers’ continue to request bounties. This scam works.  

If someone attempts to scare you with a website vulnerability without providing detailed information until a financial commitment is made, this person is dishonest and fraudulent. In fact, ‘white hat hackers’ or ‘ethical hackers never request a bounty reward because it is unethical. Professional web security specialists test any website with a website owner’s permission. 

If you receive an email from an ‘ethical hacker’ who requests a bounty reward, do not pay them. You can check your website via tools like https://www.ssllabs.com/ssltest/index.html or https://securityheaders.com/ to find minor vulnerabilities. But if you contact web security professionals, it would be better. Because only web security specialists can identify critical vulnerabilities and which ones you can ignore. Also, professionals know how to fix issues and protect your site.

Are professional web security services expensive? In fact, these services are cheaper than the bounty reward of an ‘ethical hacker.’ So the choice is clear. Do not hesitate to contact web security specialists if you want to protect your site.

Comments ( 0 )

Leave a Reply

Your email address will not be published.

Contact us:

Thank you for your message. It has been sent.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.