[kstrauser]

This has been my experience, too, with security reports in general. We see things like:

- "An attacker could spoof an email from you to a user." (POC video shows Yahoo webmail succeeding. We try the same thing in Gmail, and it gets sent to the spam folder because it fails SPF and DKIM.)

- "If I try logging in as a user with an invalid email too many times, it locks them out of their account. That's a denial of service." (Well, yeah, and that's a bummer, but it beats allowing an attacker unlimited attempts.)

I'll say, though, that H1 has been super helpful at screening the worse reports. Sometimes they'll initially block reports like the above, but the researcher will insist that this time it's for real. I don't feel too bad closing those reports as invalid.

In all, I'm a very happy H1 customer. They've been good to work with.