"Writable" is a pretty generic term and can be interpreted many different ways. They could be referring to directories, or "writing" to your SQL DB if you have one, it may also be a file injection vuln.
What bothers me most is your comment that they did it "off their own back"... They way you originally wrote that, it seems to me that this "company" did a pen test on your site without your permission, knowledge or consent. True?
If true, they found an issue, and are now saying "we found something on your site, but we won't tell you until you pay us something." True again?
If true again, this would be known as extortion (maybe something lesser, but extortion is such a sexy word). At this point, you might want to get some legal people involved. If whoever this is had wholesome pure intentions, they'd tell you want the problem was and not demand money. If they pen tested your site without consent, you should have full legal precedence to go after them. You might want to start collecting logs ASAFP in case you wind up in the middle of some legal action. (of course, this doesn't solve your issue of finding out what the flaw is. you may get that information from legal proceedings, or you may have to hire a legit pen tester to find it for you. Or, you could just shell out the dough to whoever this is, but they may also be scamming you. You pay them, then you never hear from them again, or they send you on a goose chase, and they get a nice pay day.)
If this is a company you hired to perform a pen test, a full report, including technical details on any flaws should be part of the package. If you have to pay extra for data... you need someone that writes better engagement contracts.