[dwild]

What you say have seriously nothing to do with what the previous comment say. In fact it's an argument for what he say.

If someone disclose you a security hole, you reward him.

2 reasons why: - You now know what's the issue and that there's one. He may have sold the whole private data of your organization to some other guy, but that's a constant in your situation. The only difference is knowing the source of the hole. If it help getting disclosure, even if it's from a black hat and he did committed something unethical, he still gave you something to fix.

- It give white hat a way to find hole in your security. Without that, they have no incentive to work on it. Again I will work on constant, black hat are a constant in the situation, either way they will try it, but without a bug bounty, you will only have black hat.

So what knowing if it's a black hat or a white hat change to you? Nothing, you still should have a bug bounty that reward disclosure because that's the only way to increase your odds of fixing theses security holes (the only thing that matter the most, whatever happens).

(I'm not saying not doing anything though if you see a SQL injection in your log, you fix it either way)

[billyhoffman]

I'm describing how it looks from the other side. I have no way of knowing if you are "good". I have no way of knowing anything other than someone used an automated attack tool against my property. This is why exploiting SQL injection you find on some random site is dangerous, Even if you have the best intentions