The initial email exchange is indeed a sight to see, so I transcribed the text in the image:
---------
Hello Mike et al
Thank you for making yourself available. There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed for an account to order Panera Bread once. This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the users are easily enumerable which means an attacker can crawl through the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best Regards,
Dylan Houlihan
--------------
Dylan
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
If you are in a position where you don't understand the e-mail then ASK someone who does. Or a quick google search with "PGP e-mail", wow was that so hard. The guy was probably late for a golf game or something (ok now i am being mean). Idiots.
In my last job I was responsible for onboarding b2b clients to send us hr data through sftp with key authentication. We also recommended they encrypt with our public pgp key and sign with their private key.
Trying to explain the difference between ssh keys and pgp/gpg keys took up a good 20% of my time some weeks. Often, I was talking to tech companies, or companies with a reputation for technology... I don't think the majority of Windows admins understand public/private keys.
---------
Hello Mike et al
Thank you for making yourself available. There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed for an account to order Panera Bread once. This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the users are easily enumerable which means an attacker can crawl through the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best Regards, Dylan Houlihan
--------------
Dylan
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
Regards, Mike