Also consider putting a security.txt[0] file on your main domain, like here: https://opencode.ai/.well-known/security.txt

I also just want to sympathize with the difficulty of spotting the real reports from the noise. For a time I helped manage a bug bounty program, and 95% of issues were long reports with plausible titles that ended up saying something like "if an attacker can access the user's device, they can access the user's device". Finding the genuine ones requires a lot of time and constant effort. Though you get a feel for it with experience.

[0] https://en.wikipedia.org/wiki/Security.txt

edit: I agree with the original report that the CORS fix, while a huge improvement, is not sufficient since it doesn't protect from things like malicious code running locally or on the network.

edit2: Looks like you've already rolled out a password! Kudos.