Who performs ethical hacks

This is mainly done either by information security specialists who expectedly understand exactly where vulnerabilities may appear in a system or product, or by developers with the appropriate penetration certification. It is important that these are third-party contractors, and not the same people who created the product: the latter have a blurred eye, they may not find the vulnerabilities left by them.

Ethical hacking is primarily about the desire to help the site

And not to make a huge profit. Therefore, all tests should be carried out with the permission of the site owner, especially if they may look like a brute force attack (an attack by iterating through all possible solutions /vulnerabilities) or a denial of service attack.

And even if he refuses to listen to recommendations or does not fix simple errors for months, although the problem is very important and can lead to an exploit (denial of service of a computer system), it is permissible to publicly announce only minimal details. But this should be a last resort, not a first step.

Before offering your services to the site owner and putting up a price list, it’s worth finding out if there are any rewards for finding vulnerabilities here at all. It is unacceptable to demand money in the first letter in exchange for detecting errors — let the site owner make sure that the report reports a real problem, and see what they offer you.

If a good job has been done, and the site has a reward program, you will not have to ask for money. And it is unacceptable to demand remuneration without providing information — this is already ordinary blackmail.