Comment by rebane2001

I don't think invalid spam reports mean something is overrated. Spam reports are spam reports. That'd be like saying buffer overflows are overrated because there are a bunch of AI-generated invalid spam reports with them.

A valid report needs to demonstrate a realistic attack scenario, and I think that's the approach bug bounties should take.

I think a good example is Google with its stance on open redirects[0]. They won't accept a report just pointing one out, but they will accept one that "can demonstrate that its impact goes beyond phishing".

[0] https://bughunters.google.com/learn/invalid-reports/web-plat...