On Christmas day, our web service came under an apparent attack and we responded by blocking the (single) source IP. Upon later investigation, it turns out the 'attack' was actually an intense vulnerability scan by a reputable company. It appears one of our hosting customers had requested it, but we don't know for sure.
The scan started with a request for what I assume to be a verification file (e.g. 38fsoif3n4.html) which did not exist. Unfortunately, our custom 404 page was temporarily misconfigured and returned an HTTP response code of 200 instead of 404. Presumably the bot checked for the verification file, was satisfied with a 200 response, and continued with the scan.
This version of events was pieced together from our log files and seems to make sense. The problem is, the company in question refuses to discuss the issue with us. In their first (and only) response to my questions, they acknowledged a scan took place and offered to pass our contact info along to the party that requested the scan.
Is this an acceptable response? I followed up and requested that since they had scanned our servers without our knowledge or consent - and presumably provided a report to a 3rd party - they should at least give us a copy of that report.
I also asked that they make their verification a bit more robust. They should, at the very least, inspect the contents of their verification file, rather than rely on a single HTTP 200 response. This was a fairly intrusive scan, with thousands of form submissions and SQL injection attempts over a short period of time. With that kind of impact, they should probably also verify via root domain email (e.g. postmaster@domain.com).
They have not responded at all to these (reasonable, I think) requests. For a security company, they've displayed a surprisingly lax approach to verification and may have revealed a vulnerability to a competitor or hacker.
How should I proceed? Legally? Executive Email Carpet-bomb? Public Shaming?
EDIT to clarify
We're not that concerned about our customer and would not pursue them legally. We provide a site-builder/CMS for non-technical users and host their sites in subdirectories. They can upload whitelisted files (no code) and enter text & html (client-side JS is OK, if they want). They would have no need to pen-test their own code, since they have none.
Our concern is the security company that scanned our server without permission, presumably gave the results of that scan to a 3rd party, and now will not even talk to us about it. I'd love to just let it go ("eh, big companies, whatta ya gonna do?"), but it seems irresponsible to just ignore it.
Just looking for any leverage, short of lawyering-up, to get the company to respond.