This made me absolutely livid:

> We requested a security incident report from the ethical hackers as proof

So instead of paying him a fair bug bounty, they demand that he write a formal report for them and prove to them that there is even a problem.

Totally unhinged, but it gets worse:

> the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.

Wow. So when the security researcher informs them that he would be happy to do some consulting work for them and informs them of his rates, they flip out and accuse his initial good samaritan decision to inform the company of the issue of being part of a plot by him to hold the company for ransom?

Whoever thought this is both totally delusional and a complete jerk. Truly, no good deed goes unpunished.