E-mails about "Vulnerabilities in your site" from Elvin Isaac

19 May 2022

This page early draft and could have significant changes.

Recently I received an e-mail with the subject "Vulnerabilities in your site" from Elvin Isaac. Website owners periodically receive junk e-mails that end up in the trash instantly, but when it comes to website vulnerabilities, is not something that should be easily dismissed, so I did some digging to see if it's a real deal or a scam. I thought it would be wise to share my thoughts so others don't fall for it.

The first flag that this might be a scam was that the e-mail was automatically flagged as spam, meaning multiple people got something similar.

Furthermore, when investigating if this is a legitimate claim, if others received something like this, if Elvin Isaac is a real person, I decided to Google search, nothing came up. But then I noticed that Google showed as suggested related searches the following : "elvin isaac hacker", "elvin isaac bug bounty", "elvin isaac security", so it's pretty clear a bunch of people searched about Elvin Isaac recently.

Below is the e-mail I got:

From: Elvin Isaac <elvin.isaac009 @ ...>
Subject: Vulnerabilities in your site

Hi team,

Hope that you're doing all good and healthy.I would like to draw your
attention to some of the vulnerabilities in your site which i would like to
Kindly provide me the email of relevant team or person and let me know if
there is any bug bounty program or reward regarding this disclosure of
vulnerabilities as this work requires both cost and time


One thing is for sure, Elvin Isaac is not a good Samaritan. He is also not a legitimate website visitor, stumbling on some critical website vulnerability and offering to help you out.

At the very best, Elvin Isaac is one of those people operating bots that scan websites for vulnerabilities, as such scans happen daily, that may or may not discovered anything. But based on information I gathered, some that I didn't make public, I believe this isn't even the case and that the person behind Elvin Isaac is just a scammer.

This kind of "offers" are not something new, you can read more here and here.

Donation notice
Was this helpful? Please consider supporting us by making a donation.


  1. BossUK16 Dec 2022 @ 15:44

    Thanks for posting this, I can confirm we have just received the exact same message.


  2. Bas17 Jan 2023 @ 13:07

    Thanks, I received the exact same message (exact!) but from David Marvi.


  3. Anonymous30 Jan 2023 @ 11:06

    Thanks for posting this, I can confirm we have just received the exact same message.


  4. J B20 Feb 2023 @ 18:12

    This was helpful, thanks for posting


  5. Wladimir Palant09 Aug 2023 @ 17:30

    Wow, this Elvin Isaac sure is persistent. Just got the same email from him, almost identical text. That’s 15 months after your post.


  6. soulchild04 Sep 2023 @ 19:34

    I have managed to bait him into disclosing, by mentioning "no proof no talk no payout"

    The "vulnerabilities" are just bogus "clickjacking" and "DMARC spoofing", which have 0 impact on how a website operate.

    I have attached screenshots on my tweet here :https://twitter.com/soulchildpls/status/1698735890351431712


  7. Nikita04 Jan 2024 @ 18:01

    Thanks for posting. I've had exactly the same thoughts, and already wrote a draft response email, when moments before clicking send - found your post.
    In my case, "Elvin" used a different text:
    I am a Cyber Security Analyst, I have found some vulnerabilities in your site which I would like to report.
    Kindly confirm whether there is any bug bounty program or payout?,
    Could you let me know?

    Also, another potetinal red flag is that I have a security.txt file setup on my site, and the email I've got from Elvin was sent not to the security email, but rather to our general contact email on the website. So chances are, that he used a bot to parse it and send the email itself.


  8. hakuna04 Jan 2024 @ 22:09

    I just received the same email, when I saw the post, make me feel better, thanks all to share


  9. Evangeline26 Jan 2024 @ 09:51

    Thanks for sharing, we have also receive similar email from the same email address:

    I am a Cyber Security Analyst, I have found some vulnerabilities in your site which I would like to report.
    Kindly confirm whether there is any bug bounty program or payout.
    Could you let me know?
    Elvin Issac



Leave a new commentReply to comment

Comment received.
Your comment may be held for moderation. If it does not show up immediately, please be patient. Comments have to comply with these rules:
  • English language only
  • Don't post insults or threats
  • Try to keep the discussion constructive and informative
  • Don't post questions without doing a search beforehand
  • For replies to individuals regarding the SAME discussion, use Reply to write to that individual. For a NEW issue write a new comment.
  • Make your comment easly readable. Write the product names how they are originally written or at least capitalize their first letter. Write "i" as "I". Add a space after end of a sentence and beginning of another (e.g. ".I" -> ". I").

We've noticed that you're using an AdBlocker

It's not just you, over 66% of our site's visitors are blocking the ads.

Please disable adblock for this website and refresh this page if you:
find the content useful
want us to create more useful content and software
want tech support through the comment section

The ads are placed so that there is minimal interference with page reading. There are no pop-up, pop-under or sticky ads.

Alternatively, you can support us by making a donation.