When doing a security disclosure to any organization or company, one must be delicate and careful on how you craft the message to the recipient. It is not an easy process to disclose that there are issues, especially when its unsolicited. No one likes to hear there are issues in their cybersecurity.
However, to companies and organizations who do receive these disclosures, take a moment please to not shoot the infosec messenger. As someone who identifies security issues day in and day out, it is a thankless job. Countless hours are poured over information data sets, and at the end of the day, they rarely see a bug bounty like the ones you hear about from Facebook, or Twitter.
It is extremely sad to hear that the recipient of this disclosure deems or jumps to a conclusion that the messenger is a rogue, malicious actor. However, think about it for a moment. The fact that an individual or entity took time to say something to your organization or company should generally be an indicator that their intentions are not malicious or ill-intent, and they potentially found something of interest and it might be worthwhile to investigate. If their intent was malicious, they would never have taken the time to reach out and say “there’s a potential problem and it doesn’t hurt to take a few moments to look at it with some scrutiny.”
It is also not an opportunity to be disrespectful or unprofessional to the individual or party who reached out to contact you. It is not the opportunity to insult their analysis. They most certainly do not understand your business processes. They may very well have information, or intelligence feeds that you may not know exist. The really good researchers know how to leverage those intelligence feeds and do not require any tools or scans to be launched against your infrastructure to determine security issues.
Being disrespectful or unprofessional to this very individual or company may lead to a potentially future awkward moments where they may be the people you will call to help you out when there are security issues or data breaches.
If there are questions about the analysis, it never hurts to ASK politely and professionally. If the conclusion is incorrect, or data doesn’t match, ask them how they drew their conclusions and their analysis (You most certainly do not have to volunteer any information to them for social engineering concerns). Most entities whose intent is help you will offer information on how they drew their conclusions and share with you what they found.
It is never wise to burn a bridge.