Nobody is threatening to break your window in this story. I don't know what things are like in NYC, but when someone with a bottle of Windex walks up in to my car on the west side of Chicago, my first thought isn't "I should be angry at this person for creating this uncomfortable encounter".
Well, that's the thing, it's implied. Maybe that particular person standing right by your car with a metal pipe (or emailing about an unspecific vulnerability with a hint that payment is required to avoid a bad thing) has no intention to escalate to criminal mischief. Maybe! It's still highly exploitative and deserves to be called out, regardless of the circumstances of the actor.
Who's "us"? There are other people in this very thread talking about curtailing their bounty programs and security contact methods because of the behavior under discussion exploiting the public square, so to speak.
Well, we should summon the nanoluthiers for these people who booted up bounty programs with the expectation that most of the on-spec reports they received would be valid and not the product of automated scanners, because nobody told them they should ask literally anyone who has ever run a bounty program whether these kinds of reports are a norm for unsolicited bounty submissions, or whether they're worth the tradeoff.
People should curtail these "bounty" programs. There is a generalist expectation about how bounties work that is not all all rooted in empiricism. I get why: the idea that you could put a `security.txt` on your website and start getting people to send you good bugs without compensation on faith that you'd come up with a fair valuation and pay accordingly... well, it's a beautiful idea! The fact that it can't possibly work that way, and that acquiring a feed of valid sev:lo-sev:med bugs involves, for savvy companies who have been doing this for 20+ years, outlays of $15,000-$20,000 is, I think, problematic for that idea. If this is news to you, that's fine! But don't run a bounty program; you're not ready, and it is absolutely not a tech company norm that you have to run one of these things.
You're responsible for staffing security@ no matter what you do; you can't curtail it. But you shouldn't advertise to people that you're interested in unsolicited reports unless you're willing to wade through a of DMARC spam. That's the tradeoff for getting, every once in a blue moon, a free report of a real vulnerability.
Fine, nothing controversial about anything that you wrote. I simply don't agree that it's wrong to shame people who soft-extort businesses or individuals.
