[WelcomeShorty]

The "99% of reports were incoherent garbage" is exactly what I become from unsolicited sources. They come mainly in via our (security.txt) email.

Since (2019) we have an externally managed bug bounty program (they have and manage the platform the initial triage of reports and paying the bounties (we decide what is accepted and how high the bounty is), our success rate (actionable reports) has sky rocketed.

Our devs love the reports since these are verified to be 1: documented so well, everyone can reproduce them, 2: scored reasonable (much less in house fighting if it's a low or a critical), 3: simple interaction with the individual who triaged | filed the finding (and eliminating the horrible interaction via 3 or more steps).

The money we spend on the bounties AND the service are easily offset by the quick turnaround times and saved internal struggles & meetings.