[munin]

What's hard to get from this is a sense of quality. For one, professionals have a hard time nailing down what a "quality bug" is - if given a few different bugs and told to rank them, you could probably come up with some ranking of your own, but it would probably be different from your coworkers, bosses, customers, etc. So that sucks. However there are also reported findings that most people could agree are low to no value. How much of those show up in bounty programs vs. internal finds or commissioned audits? Of the people at the top of the distribution, how many of them are reporting many high quality finds, or spray-and-pray with lots of chaff? Are there "diamonds in the rough" near the bottom that only get out one or two a year but they are high quality? Is that an indicator that if those reporters could be given full time jobs doing audits, their productivity would rise?