Comment by spiffyk

> I guess these guys don't bother to verify, they just blast out AI slop and hope one of them hits?

Yes. Unfortunately, some companies seem to pay out the bug bounty without even verifying that the report is actually valid. This can be seen on the "reporter"'s profile: https://hackerone.com/evilginx