Ask HN: Ethical Hacker" or Criminal Scammer?

2 points by silexia 12 hours ago

My company does not participate in any sort of bug bounty programs. An "ethical hacker" hacked into one of our small back end tools and is pressuring us for money to reveal what he did and is sort of threatening to release confidential information from it. How should we handle this?

SavageBeast 11 hours ago

Tell him your accounting department can only issue paper checks. Get his name and address "for the check" or course. Also your accounting department can't issue any check with out an invoice, so he needs to give you a detailed invoice.

Then you can out him or take up legal action, or send some goons over to his house for that matter.

If you really want to have some fun tell him you're happy to pay him but he must become and Approved Vendor first ... and boy thats a process but you want paid right? This is the only way accounting will pay anybody. Sorry :)

cebert 12 hours ago

If you have a legal department and security officer, I’d get them involved immediately.

not_your_vase 11 hours ago

If you can, involve law enforcement (if you have enough info about the intruder, and he is in your country, etc...).

But in any case, take it as a learning opportunity. Fire your incompetent sysadmins and developers who allowed this to happen with their insecure garbage, and get people who have at least seen a computer on a picture. Not trying to victim-blame here, but letting this happen in 2025 is absolutely ridiculous.

talldayo 12 hours ago

Is "securing your backend" an option on the table? A simple VPN or network subnet might frustrate them and send them away, but if your product isn't secure that's a serious problem you should fix.