You might want to consider a "special thanks" page with the names of "white hat security researchers" who have pointed out issues. Public recognition costs you very little but for some of them it could be a significant career-building step, worth more than a few dollars or dinars.
Everybody had to start somewhere. Yesterday's skids are today's legit researchers. If this is something they actually want to pursue, it could make a world of difference.
I don't think "someone who just scans websites with automated tools reporting vulnerabilities" is inherently a bad thing. At worst you get a free invocation of a tool you didn't know existed, at best you start a dialog and integrate the tool in your automated testing.
No, I think at worst you waste your time and attention reading reports of benign issues from the invocation of an automated tool that you didn't care to execute. I think this is probably the worst, and median case.
Maybe there is a way this could be useful. "I'm a security researcher. I ran this tool on your site which found these vulnerabilities. Here's why I think these vulnerabilities may be meaningful, even if they are first seem not to be" is, I think, a nice contribution and, if you make a change based on those suggestions, that merits some kind of credit. That's not really what is discussed in the article though.
Everyone, no matter their skill level, should put 5% of their times toward mentoring and encouraging people to grow and build more.
Someone scanning websites and checking for vulnerability is probably a student curious about security. Nothing wrong with a tap on the back and a free acknowledgment.
The article makes it clear this person is behaving obnoxiously in a borderline threatening way. Why would you reward and encourage that behavior? They aren't a student, it's some guy running a script to scan for vulnerabilities and then beg for bounties.
