Setting aside the ethics concerns for a moment. If your automated process publishes without coordination don't you forgoe any possible bounty? I thought this was a profit motivated operation.
I mean, Dask doesn't have money. We're definitely not in a place to pay them a bounty. I imagine this is just marketing on their part, or driving up some metric to show customers.
"Our powerful AI has identified vulnerabilities in 836 projects, many of which you depend on. How can you, enterprise customer, afford not to pay us money?"