@fizzyquizzler - see what I mean.
I don't know either of those fellas, but my guess is that they're most likely competent and would stand a decent chance at cracking any site. They might be jags and crackers ... I don't know, but at least they're offering to seek your permission to attempt to compromise your site. The majority of people who attempt your site, won't give you that curtousy.
Hopefully they're decent people and would ID vulnerabilities and report them, but what would stop them from gaining prividged access to your server, drop their public key into the authorized_keys file on your server, and reconfigure your server's ssh conf file to only accept keys and not passwords for ssh? I'm reaching here, but I doubt cloud service VPSs allow runlevel 1 on their servers, so in other words -they'd now own your box - completely.
I'm not trying to single them out or say anything more than this - there are people out there who are going to attempt to crack your server - and they're not going to have good intentions and they defiantly won't ask prior to do it.
Check your logs frequently. In /var/log periodically review "secure" , "access" , in the audit directory check out the audit log. Look for failed login attempts, looks for successful logins (that you didn't do). Check your history occasionally, and even other accounts to see what's being run. 'history | less' is your friend here.
And like I said - if you lose root - like someone gets in and changes the password - you no longer own that box. Get it offline.
Keep in mind both those dude probably stand a fair chance at getting access to your server - and there are THOUSANDS and THOUSANDS more who won't ask, they'll just attack.
Patch, monitor and protect that server. I'm busy doing the same to mine to deal with others who don't give a shit lose their boxes and end up spamming my email severs to try to harvest my users creds.
Just do you're due diligence and you'll be just find, but know when to recognize someone else owns your box - kill it - and try again.
Good luck!
EDIT: I'm not a cracker, but if I got your server I wouldn't change any passwords. I won't want you to know I have access, but I would install and configure openVPN on your machine to direct secure, access and openvpns logs to /dev/null to cover my tracks.
Expecting you don't regularly check ps -aux or top to be familiar with your processes, I'd use your server as a proxy for whatever the hell I want. I wouldn't care - the cops will come asking for you. I mean the traffic was coming from your box.
Not trying to scare you, just saying take a few minutes a week to "get to know" your server. That way you'll know when something looks a bit off. I'm officially off my soapbox.