> Why is it an extortion request and "white hats" if they have successfully found a security issue in your project and reported it to you, without actually exploiting it?

Presumably because there is some demand for compensation before disclosure?