Comment by jonathanlydall

Someone who runs a small company with a static content website, got an email like this, I was thinking a response like the following might be a appropriate:

Thank you for reaching out to us. Please be aware that we do not run any kind of security bounty/reward programs.

Having performed our own analysis we have not been able to identify any practically exploitable security risks.

If you have found a practically exploitable security issue with our website, please provide some form of demonstration so that we may discuss further.

I don’t think that would come across as not being concerned about security, but puts the onus on the “researcher” to prove there is a real problem.

Chances are they did some automated scan and found some out of date JavaScript library version which despite having a vulnerability, is not actually a security risk on a static content site.