Email received regarding Security flaw in website
TL;DR: It's probably well-intentioned and not a scam, but just poorly written.
I don't know of any kind of scam that would be based on this. Certainly there have been attempts to extort website owners for money based on knowledge of website vulnerabilities (and the implicit threat to exploit them), but that doesn't look like the case here.
It's not a very well-written disclosure email. I've certainly stumbled across vulnerabilities before (obviously, attempting to exploit them on a site that hasn't given permission would be illegal, but there are some that can be obvious without attempting exploitation), and sent emails with the same intent as the author above, but I try to provide all the detail in the first email. I want to help. I don't want to bounce back and forth in email land.
If it were me, I would ask them for details: what page (or pages) contain the vulnerabilities, which parameters are injectable, and whether they could share a proof of concept. If you're not familiar with XSS, I recommend reading the OWASP page on the vulnerability. It's both very common and can be critical, depending on the context. A typical proof of concept (PoC) for XSS won't be dangerous to you or your site, but will do something like pop up a javascript alert box containing the hostname of the site, your session cookes, or even just the number 1. Any of those show that a malicious attacker could be running Javascript on your site, which would have significant implications for your site security.
As some have pointed out, it's also possible the lack of information is them playing it "cagey" will looking for a reward/payment. Obviously, if your site does not have a published bug bounty, you're under no obligation to do so.
Does not appear to be a scam, though it might be a type of mass-mailing due to lack of details. Maybe some guy needs money, runs Nessus on a bunch of sites and is now angling for a small reward from each?
I'd run Nessus (or some other scanner) myself to check, then contact the guy and ask for details. Truthfully answer his question about bug rewards. If you run a bug reward program and he found one, he should get his reward, that's what the program is for, right? If you don't, simply explain that you don't, but are anyway grateful for his heads-up.
This is called fear marketing or fear appeal. It's a marketing method that uses fear as the trigger for action.
https://en.wikipedia.org/wiki/Fear_appeal
The email contains the 3 basic stages of fear appeal.
- present a risk.
- present a vulnerability to the risk.
- suggest a protective action.
It is generally considered unethical.
I'm only pointing this aspact out, because the email is an unsolicited attempt to get a response using fear. It's the fact that the sender completely left out the details of what the issue is. You have to contact them to get a response, and they've already stated that they expect a token of appreciation.
When a scammer is fishing for victims they must first qualify a list of possible targets. His/her scam involves fear as a trigger to action, and if you respond you than qualify as a person who reacts to fear tactics.
It's likely they will escalate the seriousness of the problem until a trade can be made for details about the security flaw. He/she will most likely request payment by bitcoin for the information.
A true professional security consultant would have provided full contact details, mailing address and phone number of their consulting services. They also would have mentioned the benefits of their services. Where as, this email only mentions the risk of not responding.
The best approach to handling this email is to contact a creditable security consultant, and hire them to investigate the claims.