In my opinion the specific case we are discussing is a borderline one. The other answers might be right in general, but they aren't considering the real "threatening" email that we have seen in the security community here on Stack Exchange. The OP didn't include the original email in his question, but I already knew what he was talking about because I had seen the original thread.
The context is necessary if we want to understand the potential threats. Whether something is extortion or not depends on how the threat is perceived by a potential victim (not really a specific victim, but on average, a reasonable person). Every tiny detail of the context might play an important role. If I told you "Buy these shoes or you will look like an idiot", that sentence will not be perceived as a threat by most people, because of several factors: context, culture, virtually nonexistent gain or loss, etc. Even if you read an advertisement saying "Buy these shoes or I'll kill you", that won't be perceived as a threat (after all, it's just an advertisement, it'd be perceived as a joke). But if you were walking alone in the dark and a masked stranger approached you saying "Buy these shoes or I'll kill you", that would feel much different. On the other hand, if a doctor says "I need more ventilators or lots of people will die from Covid-19", it's not extortion, because the threat is real and they aren't asking for a personal gain.
That said, here are the points I think we need to consider, to analyze the whole context:
- Is the threat justified? Is the threat real or not? Has it been exaggerated to make it sound worse? Etc.
- Freedom or coercion? Does the potential victim feel free to make any decisions? Is the potential victim free to chose between several options, or get the service from another competitor? Etc.
- Is any personal gain justifiable? For example, if someone provides a professional service, it makes sense to pay for it. If someone wants money to give you back your data after they have stolen it, that's not a professional service.
You didn't post the original email with the potential extortion, so I'll quote it here:
I'm a Security Researcher running a vulnerability identification service for a small group of private clients, and I accidentally found some vulnerabilities in your infrastructure.
For a small fee, I will share the vulnerability details with you (includes POC, screenshots, and suggested solutions).
Paypal instructions:
Recipient: REDACTED GMAIL ADDRESS
Paying for an item or service (covered under PayPal Purchase Protection for Buyers)
Amount: $100
Add a note: [redacted, my domain name]
After I receive your payment, within 48 hours, I will send you an email with all the vulnerability information.
It is borderline because on one hand there are no direct threats, but on the other hand the email lacks important information that would have helped a lot in reassuring the client and sounding more professional. For example, the introduction is fine, except the researcher's name (or his company's name) is missing. Also, the last sentence is ambiguous because "within 48 hours" might mean you have to pay within 48 hours or it might mean that they will provide the service within 48 hours after the payment. Maybe they even phrased it like that on purpose, to make it sound ambiguous.
Here's why it is borderline, considering the points I listed above:
- Is the threat justified? It's hard to identify the threat. If you only consider the words in the email, there is no direct or indirect threat. They don't tell you "you will be hacked", or "you might be risking something", they don't even give any advice, whether you should or shouldn't do something about it. They only state some facts. But when you consider the context, the word "vulnerability" in itself implies there is a potential danger in the information security field. However no information is provided even on the type or severity of the vulnerability. In the INFOSEC field, a vulnerability might destroy your business within hours, or might never have any effects whatsoever, depending on its severity and who/what is affected.
- Freedom or coercion? Hard to say. The lack of details in the email won't make the recipient feel completely free of contacting the researcher, asking for more information, negotiate the price, seeking advice from a competitor, etc. They immediately talk about money, that they want upfront. Even that ambiguous "within 48 hours" might be misinterpreted and put unnecessary pressure on the recipient. However nothing stops the recipient from actually trying to contact the researcher in some way (either via the address they received it from, or via the address used for PayPal), and ask for more information.
- Is any professional gain justifiable? They are asking for a small fee and in exchange you will get a service (a report). It's ok to be paid if you provide a service. However nobody knows how professional that report will be, since we have no information about the researcher. Plus the initial approach is very unprofessional and non-standard anyway.
So I wouldn't be able to decide whether this specific case is extortion or not. I would say it depends on whether it is actually possible to contact the researcher by answering to the email they sent, and then how they go on interacting with the client. If they don't answer in a reasonable time, it might well be extortion because the client might feel in danger and might not be able to decide what to do. If they do answer though (and collaborate without threatening anybody), I'd say the original email in itself should not be considered a form of extortion.
