I got an email 20 days ago, I dont have a bug bounty program as I cannot afford it. but unsolicited, I got an email twenty days ago about having the clickjacking vulnerability, etc. It was well explained and he told how to fix it, however, at the end he said “I hope to receive service fee for the responsible disclosure of the vulnerability”

I didn’t see the email before so I never made a reply, but today I received this:

“Hi,
Have you any updates on the reported bug?
It’s been a long time since I have reported the bug, but I have not received any response from you
Hope to hear from you today.
And I am hoping to receive a reward for the reported bug.”

It sounds he is -demanding- a compensation for the reported bug but I have the feeling he is doing bulk scanning for this common vulnerability and doing follow ups, etc. Still, his discovery was kind of an improvement even if it wasnt a big threat, I just don’t know if paying would make matters worse, I can only send 50$, maybe 100$ if push it, and I dont wand to offend him as maybe he expects more, would it be better to just not answer or a polite thank you?

​

He sent this as poc
PoC

<html>

<body>

<h1> Clickjacking in your website </h1>

<iframe width=”1000″ height=”500″ src=” [m](https://smpagent.com/app/)ywebsiteaddress “/>

</body>

</html>