[danielvf]

In the software development / security world, someone reporting a vulnerability to you is one of the greatest things one human can do for another.

I've been burned in the long past when trying to be helpful to an activist. The accuracy of information provided was never a consideration.

[gwbas1c]

> In the software development / security world, someone reporting a vulnerability to you is one of the greatest things one human can do for another.

Depends on context. When it's a knowledgeable user reporting the issue, you're right.

What I mostly encounter are for profit "security researchers" who try to profit on fear and/or misunderstanding.

[danielvf]

Yes. As someone who spent years on the receiving end of these, I'd change my original post to be about "real" vulnerabilities, not the results of automated scans.

[pseudo0]

Unfortunately something like 90% of "vulnerability reports" are some guy in India running an automated scanner reporting something that isn't actually a vulnerability and demanding $1,000+. This creates a ton of noise in the system both for legitimate security researchers and the people stuck managing vulnerability disclosure programs.