Comment by mrweasel

Does the security researchers provide you with patches, or is it more frequently "there's a bug here".

In the later case I'm wondering if there's an argument to be made for "Show me the code or shut up". Simply rejecting reports on security issue which are not also accompanied by a patch. I'm think, will it devalue the CVE on the researchers resume, if the project simply says no, on the grounds of not being a fix?

Probably not.