Our company has online app that requires to create a business account. Yesterday some suspicious accounts were made and our system automatically blocked the account creators and ip addresses.
And today we have received an email saying "Hello my name is [name], I am white hat hacker and want to perform penetration tests on your website. Please enable my account".
What should we expect? What is he trying to achieve?
The person who contacted you was most certainly not a "white-hat hacker". This is not how they operate. The person is most likely trying to scam you in the simplest possible way.
In the simplest terms, a White-Hat Hacker (henceforth called "White-Hat") is a security professional hired by a company, group or individual (henceforth called "customer") to test a system owned by said customer.
The White-Hat and the customer agree on a scope of the test, the timeframe, how vulnerabilities should be reported, user accounts for systems to be tested and similar agreements. This is usually referred to as a "Permission to Attack" and is the legal basis of the work of a White-Hat.
Then the White-Hat proceeds to do their work, writes a report and makes suggestions to the customer on how to improve the security of their system.
Simplified, a White-Hat is a Hacker you hire to test your systems.
A Black-Hat Hacker (henceforth called "Black-Hat") does not have an aforementioned "Permission to Attack" and tries to find vulnerabilities wherever they can. Since their "work" is not backed by any legal grounds, they don't need to worry about playing by the rules, collateral damage, etc.
Black-Hats can have various motivations. The overwhelming majority does it for monetary gain, although others can be in it "for teh lulz", for political reasons or for their own personal convictions.
Simplified, a Black-Hat Hacker is a Hacker that tries to exploit vulnerabilities without any legal basis to do so.
Not necessarily. Some products or programs reside "offline" and are thus owned by the White-Hat Hacker. I don't need permission of a lock manufacturer to pick a bike lock that I bought from them. (I do however need permission of the owned of that individual lock!) If I found a design flaw in said lock, I can contact the manufacturer and inform them of said vulnerability.
Similarly, I could buy a product and analyze it. If I found a vulnerability, then contacting the vendor through a responsible disclosure procedure would be the only ethical thing to do.
However, in such cases it always has to be asked "Who's system was attacked?". In case of the bike lock, it is clear. I owned the lock, hence I can attack it. With software, especially cloud-based applications, the issue of ownership becomes much more complicated.
I stick to the rule "When in doubt, call an expert!" and in this case an expert would be a lawyer.
To summarize the question, "It's not always a scam and could be an attempt at responsible disclosure. Proceed carefully."
As MechMK1 mentions, this is just a scam. They are not a White-Hat hacker because that is not how they operate.
I did want to mention something I have heard referred to as "grey-hat hackers." These are hackers who attack a company illegally, then go to the company to work with them to fix the vulnerabilities as a proper contrator. The initial illegal hack is used as a "job interview" of sorts, demonstrating their competency. This "interview" is, of course illegal and potentially dangerous to the company, which is why the White-Hat hackers do not go down this route. I will not provide an opinion on whether grey-hat hackers provide a service to your company or are the enemy to your company. There is plenty of literature to peruse on the topic to come to your own conclusion.
However, if you decide this was indeed a grey-hat hacker (rather than a black-hat hacker whose intent is detrimental to your company), and your company leadership decides that working with grey-hat hackers is acceptable policy for your company, I would point out that he did not successfully compromise your systems. He didn't get in. You stopped him with your automated tools.
So, at best I would say that qualifies as failing the job interview, and you probably don't want him doing penetration tests for your company. At worst, he's a black hat hacker, and you don't want him doing penetration tests for your company.
