Comment by themanmaran

> If it were me, I would have avoided involving third party regulators in the initial contact at least.

I'm surprised to see this take only mentioned once in this thread. I think people here are not aware of the sheer amount of fraud in the "bug bounty" space. As soon as you have a public product you get at least 1 of these attempts per week of someone trying to shake you down for a disclosure that they'll disclose after you pay them something. Typically you just report them as spam and move on.

But if I got one that had some credible evidence of them reporting me to a government agency already, I'd immediately get a lawyer to send a cease and desist.

It seems like OP was trying to be a by the book law abiding citizen, but the sheer amount of fraud in this space makes it really hard to tell the difference from a cold email.