How to respond to compensation request to reveal security vulnerability

"Thank you for reaching out to us about the security vulnerability you've discovered. We don't have a formal bug bounty program at this time, but we are interested in hearing more about what you've found and would be willing to offer a reward for disclosure of the details. Please let us know if you're interested in sharing more information."

Many of the emails are sent in bulk. We have a published security page, a security.txt, a link in the footer of our page, a security@/abuse@ email alias and still receive the random email asking if there's a security program. The person hasn't found anything yet, at maximum it was an automated relatively easy scan. Those we replied to then never came forward with a report, now we no longer reply.

Reward can also be swag, even large known brands sometimes send branded t-shirts or socks instead of payment for low security issues (e.g. open directory listing on a website that doesn't contain any important files).

Be sceptic about 'critical'. In my experience just about anything gets labeled high and critical in the emails. "You should require a captcha on your contact form otherwise someone could send you 1000 emails" was deemed critical by one person recently.

Reply with promise to look into the issue and a non-commit first. The comment from julienreszka is perfect.

Pretty much what you said in the third para is a fine reply IMO, see how it goes from there. Up-front and authentic.

A lot of people reporting these are doing automated scans anyway, so it's not like they spent all day combing your site back to front. You may also receive an automated notification of the same bug through e.g. openbugbounty.org.

Previously discussed https://news.ycombinator.com/item?id=32938408

Likely this is the same script.