A stranger asked me for €100 to "fix" a security issue. Here's what I actually learned

Someone DM’d me claiming they had found a security vulnerability in my SaaS.

They showed a screenshot, mentioned SPF / DMARC, and asked for €100 to disclose the details.

It didn’t feel like an emergency, but it felt serious enough to check.

So I did the boring thing.

I verified it.

It wasn’t a critical vulnerability. It wasn’t an exploit. It was a missing strict DMARC policy.

A real issue? Yes. An emergency? No.

I fixed it in minutes.

But the real lesson wasn’t about DMARC.

The real lesson was about structure.

I realized that if you don’t clearly define how security issues should be reported, people will try to turn private DMs into a negotiation channel: urgency, pressure, and money included.

That’s a bad place to make decisions.

So I did three things immediately:

1. Fixed the email configuration (DMARC).
2. Published a simple public security policy.
3. Added a security.txt file that clearly states:
   • how vulnerabilities should be reported
   • what is in scope and what isn’t
   • that we don’t negotiate security issues via DMs
   • and that there are no monetary rewards at this stage

Now there’s no ambiguity. No improvisation. No DM negotiations.

Early-stage SaaS security doesn’t start with bug bounties or panic. It starts with boring basics and written rules.

Most security “scares” won’t come from complex exploits. They’ll come from missing structure.

Fix the boring stuff early. And make sure DMs don’t set the rules for you.