It seems pretty obvious that the bar needs to be raised.

> A security report lands in your inbox. It claims there's a buffer overflow in a specific function. The report is well-formatted, includes CVE-style nomenclature, and uses appropriate technical language.

Given how easy it is to generate a POC these days, I wonder if HackerOne needs to be pivoting hard into scaffolding to help bug hunters prove their vulns.

- Claude skills/MCP for OSS projects

- Attested logging/monitoring for API investigations (eg hosted BURP)