Right, but the volume was the issue. The cURL team could only work through and verify them so quickly, so the deluge of bug reports just made it impractical for them to dedicate time to sort through it. The idea in getting rid of the bug bounty being that there would be less of an incentive to generate and write a bogus bug report.

If it was just a small handful of fake security reports, they wouldn’t have minded nearly as much.

It was volume that was more the issue with the bug bounty program.

They were flooded, and recognising it is all well and good, but not if there’s no good way to filter it out, not without massive collateral.