[bawolff]

Yeah if they are refusing to share details without money that sounds more like extortion.

> That's not to say somebody might discover a new unique vulnerability in the open source software and packages you might be using, except you wouldn't expect them to report it to your company, as some random user on the Internet, when the official projects are on github.

I've actually had this happen once or twice. AFAICT the situation was either that the reporter explains themselves so poorly (in very broken english) that the original project ignored them, or they are trying to maximize bounties by reporting to everyobe who uses the package instead of the actual maintainer.

> Alternatively if they reported a very specific issue regarding software you developed, I'm sure it would get your 100% attention. That's not been my experience so far (knock on wood).

It does happen (especially if you offer bounties or you are famous), but its like 1% of emails you get at most. Most reports are just incoherent non sense or people misunderstanding the output of an autonated scanner. But its worth it to pay attention for the 1%.