On its face this sounds like a scheme quickly devised by a malicious actor to gain a trusted role. We're starting to see some external corrobboration, so maybe it will turn out to be legitimate after all, but the smart money is always on skepticism.

Definitely. Not showing an immediate threat, such as a copy of the CVE database or a request for money, can be assumed to be the typical approach of a long con rather than a sign of goodwill.