Unfortunately something like 90% of "vulnerability reports" are some guy in India running an automated scanner reporting something that isn't actually a vulnerability and demanding $1,000+. This creates a ton of noise in the system both for legitimate security researchers and the people stuck managing vulnerability disclosure programs.