The email was very professional. He indicated he would be discreet, and he would tell me the details if I so required. I have little doubt that part would require money.
Seeing the code was a valid copy, I immediately looked into the server in question and followed our Information Sharing and Analysis Organization (ISAO) guide for auditing API servers. the audit enabled me to uncover a configuration issue (mis-configuration) and I was able to figure out how he managed to see our source code. That issue was related to one of our volunteers failing to follow our security guideline (another ISAO document). everybody makes mistakes from time to time. Since we are a volunteer only organization, mistakes are easier to make.
Within a few minutes both issues were resolved.
I then replied to my new Bosnian friend and let him know that I saw he had pulled our code from a Bosnian IP address and that there were two issues involved. Both of which had been corrected. I thanked him for pointing it out to me and asked him what methods I may use to send him a little money.
He confirmed the issues had been resolved and gave me several methods for me to send him some money. Which I gladly used to send him some money. I also stated that I would be happy to write a letter of endorsement on his interface with me.
It was money well spent. The service this security researcher was to point out a mis-configuration issue. That led to finding another issue on the same server. That issue would have persisted for a long time and who knows what a malicious actor would have done with the same level of access/discovery.
The story ended happily. Both of us are better off.