Knowing how much outright spam a security email address gets... (luckily spam filtering is good enough to not surface them but a human still has to periodically go through the spams just to ensure there were no false positives)
Even then, the modern day incentives around vulnerability disclosure are not helping. Because security bugs are awarded bounties based on their severity, every single reporter has a financial incentive to hype and inflate their findings. "URGENT" this, "CRITICAL" that, "ACCOUNT TAKEOVER" due to already compromised computer/device, you name it.
Teams without sufficient resources will spend a lot of time dealing with the maladjusted severities. And yes, I believe the "mal-" prefix is warranted. If your report does go through with inflated severity, you stand to make more money.
I am starting to think that a reasonably run bounty programme should state up front that inflated severities in bug reports will reduce their payouts.
Even then, the modern day incentives around vulnerability disclosure are not helping. Because security bugs are awarded bounties based on their severity, every single reporter has a financial incentive to hype and inflate their findings. "URGENT" this, "CRITICAL" that, "ACCOUNT TAKEOVER" due to already compromised computer/device, you name it.
Teams without sufficient resources will spend a lot of time dealing with the maladjusted severities. And yes, I believe the "mal-" prefix is warranted. If your report does go through with inflated severity, you stand to make more money.
I am starting to think that a reasonably run bounty programme should state up front that inflated severities in bug reports will reduce their payouts.