[cwills]

> and she finds an issue in my product that I don't agree is a real vulnerability

If it’s not a real vulnerability then why would it matter if she publicised it?

Or, is it actually a real vulnerability but you don’t want to admit it because she (the security consultant) is getting paid per vulnerability found?

[SpicyLemonZest]

Because most people can't and don't critically evaluate vulnerability reports. If "SpicyLemonZest Windows Client Local Privilege Escalation 0day" becomes a trending headline, my customers will demand I do something about it, even if I have a perfect explanation for why it's not a real vulnerability and they're at no risk.