[alkonaut]

If I found a really valuable exploit that I wanted to avoid seeing fixed for at least a few months, then why now swamp the project with false positives for a period of time so that my exploit, if it's found, is just one of hundreds being reported and IF it's reported, there is a chance it's being drowned or even accidentally removed.

[gus_massa]

Perhaps I'm too optimistic, but the legit exploit will have a very different style. Perhaps broken English and a 50% code and 50% text instead of 10% code and 90% text. I guess that a fast triage to detect non-cookie-cutter reports would be enough (but anoying anyway).